Clients behind pix 501 cannot access internet
Hi,
I have a very simple setup for my network as follow:
Internet <-- adsl <-- pix 501 <-- client. Where:
pix 501:
eth0 (outside) 68.x.x.130
eth1 (inside) 192.168.2.1
client:
eth0: 192.168.2.10
DNS 206.13.28.12
206.13.29.12
GW 68.x.x.134
I can ping the GW from pix console, but cannot ping DNS. The client cannot ping bot GW and DNS, but it can ping eth0 of pix 501.
My pix configuration:
show config
: Saved
: Written by admin at 13:31:43.717 UTC Thu Apr 20 2006
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxx encrypted
passwd xxxxxx encrypted
hostname pix501
domain-name somedomain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 68.x.x.132 RDP
name 68.x.x.131 SSH
access-list 101 permit ip 192.168.2.0 255.255.255.0 host SSH
access-list 101 permit ip 192.168.2.0 255.255.255.0 host RDP
access-list acl_out permit ip any any
access-list acl_in permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 68.x.x.130 255.255.255.248
ip address inside 192.168.2.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm drop
ip audit attack action alarm drop
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list 101
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 68.x.x.130 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-3des esp-sha-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set pfs group2
crypto map transam 1 set peer 193.254.134.214
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 28800
telnet timeout 5
ssh timeout 5
management-access outside
console timeout 0
dhcpd address 192.168.2.100-192.168.2.13
dhcpd dns 206.13.28.12 206.13.29.12
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain somedomain.com
dhcpd enable inside
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:cd1c8d116b2
Clients attach to eth0 of pix 501 can not access internet or ping to internet. Any help will be appreciate.
Regard,
I have a very simple setup for my network as follow:
Internet <-- adsl <-- pix 501 <-- client. Where:
pix 501:
eth0 (outside) 68.x.x.130
eth1 (inside) 192.168.2.1
client:
eth0: 192.168.2.10
DNS 206.13.28.12
206.13.29.12
GW 68.x.x.134
I can ping the GW from pix console, but cannot ping DNS. The client cannot ping bot GW and DNS, but it can ping eth0 of pix 501.
My pix configuration:
show config
: Saved
: Written by admin at 13:31:43.717 UTC Thu Apr 20 2006
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxx encrypted
passwd xxxxxx encrypted
hostname pix501
domain-name somedomain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 68.x.x.132 RDP
name 68.x.x.131 SSH
access-list 101 permit ip 192.168.2.0 255.255.255.0 host SSH
access-list 101 permit ip 192.168.2.0 255.255.255.0 host RDP
access-list acl_out permit ip any any
access-list acl_in permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 68.x.x.130 255.255.255.248
ip address inside 192.168.2.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm drop
ip audit attack action alarm drop
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list 101
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 68.x.x.130 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-3des esp-sha-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set pfs group2
crypto map transam 1 set peer 193.254.134.214
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 28800
telnet timeout 5
ssh timeout 5
management-access outside
console timeout 0
dhcpd address 192.168.2.100-192.168.2.13
dhcpd dns 206.13.28.12 206.13.29.12
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain somedomain.com
dhcpd enable inside
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:cd1c8d116b2
Clients attach to eth0 of pix 501 can not access internet or ping to internet. Any help will be appreciate.
Regard,
Also, after you have added an access-rule on the outside interface. Try pinging 4.2.2.2 from the PC behind the PIX as well. If this works, then try browsing by IP to see if it is a DNS issue. Try http://198.133.219.25/ which is Cisco's home page.
ASKER
Hi,
I did add icmp access list as your suggest, but still can not ping 4.2.2.2 either from the pix or internal host. Internal host also cannot access the homepage http://198.133.219.25
I did add icmp access list as your suggest, but still can not ping 4.2.2.2 either from the pix or internal host. Internal host also cannot access the homepage http://198.133.219.25
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Agree with sressedout2004 about the default route. You're pointing to your own IP address and you should be pointing to the ISP next-hop
>access-group acl_in in interface inside
Remove this acl from the inside interface. It is not necessary unless you want to restrict traffic. ALL traffic is allowed out by default, no acl necessary
>access-group acl_in in interface inside
Remove this acl from the inside interface. It is not necessary unless you want to restrict traffic. ALL traffic is allowed out by default, no acl necessary
ASKER
Thanks stressedout2004, I have route to myseft instead of an ISP gateway. It works now after I change it to ISP gateway. Thanks for your help.
e.g
access-list acl_out permit icmp any any
access-group acl_out in interface outside
From the PIX itself, can you ping 4.2.2.2 ? 4.2.2.2 is an IP on the internet. So if you can ping that, then that means the PIX itself can go to the internet.