Pix Firewall configuration

Hi,

I am trying to configure a Cisco PIX 500 firewall to work on a LAN. I configured it the best way I could according to information I have found. I have 2 public IP addresses available which are xx.xx.xx.162 & xx.xx.xx.163 and I would like to use PAT since there is only 1 Public IP available.
xx.xx.xx.161 is the gateway and it is a DSL router with bulit in firewall...I disabled the firewall so that it will not interfere. My LAN is on a 192.168.0.0/24 network behind the PIX.

nameif ethernet0 outside security0
nameif ethernet1 inside security100

ip address outside xx.xx.xx.162 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
global (outside) 1 xx.xx.xx.163
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.161 1

I cannot understand as to why the LAN cannot access the internet. Is there something more I have to configure as far as the NAT/PAT goes? Access list perhaps? not sure. Thank you in advance.
ruberuAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LionBSDCommented:
how the DSL router is connected to the pix ?
the DSL router needs to know how to get to x.x.x.162 , what kind of a router is it? is it capable of having more than 1 external IP?
does the pix can ping x.x.x.161 ?

you need to first check if the pix can "talk" with the DSL router.
ravenplCommented:
I don't think, that You can use
> global (outside) 1 xx.xx.xx.163
I think, You should
global (outside) 1 xx.xx.xx.162

That's becouse (I assume, that the dls modem is configured OK - try ping the world from the pix itself) packet originating to xx.xx.xx.163 are not sent to Your Pix.
On global() statement You can use either the ip of outside interface, either IP which is routed to Your pix. xx.xx.xx.163 is on the same subnet like xx.xx.xx.162, and I'm sure it's not routed to Your pix.
nodiscoCommented:
Hi ruberu

Your PAT configuration is fine and no, you don't need to configure an access-list for traffic going out - its allowed by default on the PIX.  As per LionBSD - verify your connection from the PIX to router -
#
ping outside x.x.x.161
#


Is the internal LAN workstations' default gateway ip address set to 192.168.0.1 (inside ip of PIX)?
Can PCs ping this address?
A possible problem would be double natting - where the DSL router is also natting the traffic out - the PIX is performing address translation already so make sure the DSL router isn't trying to do it too.

hope this helps
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

ruberuAuthor Commented:
Thanks for your responses,

The PIX can ping the DSL router on xx.xx.xx.161. The LAN is able to ping the inside interface (192.168.0.1) of the PIX and the gateway IP address of the LAN PCs are set to 192.168.0.1. I haved turned off NATting on the DSL router as this has the capability. The DSL router is also capable of having more than one IP address as you can specify a pool of IP addresses. The IPs that I am using xx.xx.xx.161-163 are not part of that pool. I can ping the gateway xx.xx.xx.161 and any of the LAN PCs from the PIX. I cannot think of anything else wrong with the PIX config. I have a feeling that it might be a problem with the  routing table in the DSL router. It has an entry to route any xx.xx.xx.160 traffic to xx.xx.xx.161 which is the gateway. I am just wondering if there has to be another route statement specific to the PIX configured in the routing table. The router I am using is a zoom telephonics X5v.
ravenplCommented:
Well, haven't You read my previous answer. If x.x.x.163 is not binded to any device, then dsl router does not know where to send packets to x.x.x.163 destination.
Think this way: DLS router on his ethernet side sends arp packet with who-has x.x.x.163 - nobody replies - so no forwarding is done.
Maybe i'm wrong, but why don't You give a shot with
global (outside) 1 xx.xx.xx.162
instead 163 ?
ruberuAuthor Commented:
ravenpl,

I tried what you said to use the interface IP xx.xx.xx.162 on the global and I got this error message.

pix(config)# global (outside) 1 xx.xx.xx.162
Start and end addresses overlap with outside interface address

I also tried

pix(config)# global (outside) 1 interface
Invalid IP address
usage: global [(if)] <global_id> <ip[-ip]> [netmask <global_mask>]

I don't know what else could be wrong. Thanks
ravenplCommented:
That's strange. According to documentation:
> To specify PAT using the IP address of an interface, specify the interface keyword in the global [(int_name)] nat_id address | interface command.
> The following example enables PAT using the IP address at the outside interface in global configuration mode:
> ip address outside 192.150.49.1
> nat (inside) 1 0 0
> global (outside) 1 interface

Maybe try first removing all global entries, do clear xlate, put this above global statement, and clear xlate again. (note, that clear xlate will reset all connections)
lrmooreCommented:
Make sure you don't have this in your config. If it is there, remove it. If it's not there, then we look at something else.

 sysopt noproxyarp outside

You realize that you can't use Ping from an internal host as a test? ICMP echo replies are not alled by a default pix config. You must first allow them with an access-list:

 access-list icmp permit icmp any any echo-reply
 access-list icmp permit icmp any any unreachable
 access-group icmp in interface outside


ruberuAuthor Commented:
I got the ping to my gateway and the world to work and I am also able to get to websites by pasting the ip address of the websites in the URL field of the browser e.g 64.233.161.147 (google.com). I am not able to use the domain names so it must be some DNS issue now. I think the version of IOS on the PIX is old so none of the commands such as access-lists will not work, I think conduit is a substitute..not too sure. I do not have access to a new image unfortunately. Here is the config.

PIX Version 4.4(4)
hostname PIX
fixup protocol ftp 21
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
fixup protocol http 80
names
pager lines 24
no logging timestamp
no logging console
no logging monitor
logging buffered debugging
no logging trap
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.162 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
global (outside) 1 x.x.x.163
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit ip any any
conduit permit tcp any any
conduit permit icmp any any
conduit permit udp any any
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
route outside 0.0.0.0 0.0.0.0 x.x.x.161 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute          
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet 192.168.0.0 255.255.255.0
telnet timeout 10
terminal width 80

I thank you guys for all your help so far....
ravenplCommented:
Auch. PIX 4.4, Yes, this version can't do nat to outbound iface IP (according to docs).

Maybe someone would find some easier sollution, but what would suggest is:
make a class of four IP's for link between DLS and Your PIX (it can be private class of 10.1.1.1/30, it will work, hance I wouldn't recommend)
then on Your DLS router forward some IPs (route) to the PIX, and those IPs use in global statement.

Alternativelly, with current configuration try to do static route for x.x.x.163 IP via your PIX (it's possible on linux, thought I don't know if Your DSL can do it).

It's just about it, that IP from global either must be binded to PIX iface, or routed from DSL via Your PIX (so packets would arrive to PIX).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ruberuAuthor Commented:
It seems to me that the packets are making their way back into the PIX interface because as I mentioned earlier, I can view web pages in the browser by putting in the ip address of a web site. I am just wondering how to get the DNS issue resolved so that DNS requests can get out of the firewall. There is a port protocol problem here.
ruberuAuthor Commented:
I resolved the issue and everything is working fine. I had to make sure the DNS server settings on the LAN PCs were set to the gateway and not the inside iterface of the PIX 192.168.0.1. Silly me...Thank you all so much for your help...really appreciate it :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.