[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Pix 506e

Posted on 2006-05-12
14
Medium Priority
?
229 Views
Last Modified: 2013-11-16
I have a Pix506e setup; However I am unable to access the internet from my inside computer.

I can connect to a VPN that was create to use FTP, but I am unable to access the internet.

Can someone help. The only change that was made is that we changed from using a HUB to a Switch.

funny thing is after the switch was implemented it worked fine for a whole day. The companies internet went down

yesterday and after that it has not worked.

I am unable to ping the public DNS 4.2.2.1
0
Comment
Question by:learn2earn
  • 5
  • 4
  • 4
  • +1
14 Comments
 
LVL 3

Expert Comment

by:rickyclourenco
ID: 16669605

are you not able to access the internet when you VPN into your company?

or

is the internet down for the whole company?

when you say you can connect to VPN, what VPN are you talking about?
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16669856
was the pix restarted after the internet went down?
in other words, was the config not saved and reset to something you don't want.  double check the config to make sure it looks right.  also, can you post your config (sanitized of course) so that we can see if there is problem or not.
0
 
LVL 2

Author Comment

by:learn2earn
ID: 16670167
We have a VPN connection established with another company.
We FTP files to them.  However the Pix was restarted after the internet went down.
The configuration was saved.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 0AzZm encrypted
passwd 0A/2Rm encrypted
hostname vpn-pix506e
domain-name test.com
fixup protocol dns maximum-length 1500
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

name 2xx.xx.xx.0 PCNAME1
name 2xx.xx.xx.xx PCNAME2
name 2xx.xx.xx.xx PIX515E
object-group service NETBIOS tcp
  port-object eq 445
  port-object range 135 netbios-ssn
access-list outside_access_in permit icmp any host 2xx.xx.xx.xx echo-reply
access-list outside_access_in permit icmp host PIX515E host 2xx.xx.xx.xx
access-list outside_access_in permit tcp host PIX515E host 2xx.xx.xx.xx eq ftp
access-list outside_access_in permit tcp host PIX515E host 2xx.xx.xx.xx eq 3389

access-list outside_access_in permit tcp host PIX515E host 2xx.xx.xx.xx object-
group NETBIOS
access-list outside_cryptomap_10 permit ip host 2xx.xx.xx.xx host 1xx.1xx.xx.xx
1
access-list outside_cryptomap_10 permit ip host 2xx.xx.xx.xx host 1xx.1xx.xx.xx
4
pager lines 24
logging on
logging monitor errors
logging buffered informational
icmp permit host PIX515E outside
icmp permit PCNAME1 255.255.255.0 outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 2xx.xx.xx.xx 255.255.255.0
name 2xx.xx.xx.0 PCNAME1
name 2xx.xx.xx.xx PCNAME2
name 2xx.xx.xx.xx PIX515E
object-group service NETBIOS tcp
  port-object eq 445
  port-object range 135 netbios-ssn
access-list outside_access_in permit icmp any host 2xx.xx.xx.xx echo-reply
access-list outside_access_in permit icmp host PIX515E host 2xx.xx.xx.xx
access-list outside_access_in permit tcp host PIX515E host 2xx.xx.xx.xx eq ftp
access-list outside_access_in permit tcp host PIX515E host 2xx.xx.xx.xx eq 3389

access-list outside_access_in permit tcp host PIX515E host 2xx.xx.xx.xx object-
group NETBIOS
access-list outside_cryptomap_10 permit ip host 2xx.xx.xx.xx host 1xx.xx.xx.xx
1
access-list outside_cryptomap_10 permit ip host 2xx.xx.xx.xx host 1xx.1xx.xx.xx
4
pager lines 24
logging on
logging monitor errors
logging buffered informational
icmp permit host PIX515E outside
icmp permit PCNAME1 255.255.255.0 outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 2xx.xx.xx.xx 255.255.255.0

ip address inside 192.168.168.1 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.0 255.255.0.0 outside
pdm location 192.168.168.2 255.255.255.255 inside
pdm location 172.16.0.0 255.255.0.0 outside
pdm location PCNAME1 255.255.255.0 outside
pdm location 6x.xx.xxx.xxx 255.255.255.255 outside
pdm location 1x.xx.xx.xx 255.255.255.255 outside
pdm location 1x.xx.xx.xx 255.255.255.255 outside
pdm location DCFCU 255.255.255.224 outside
pdm location PIX515E 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
static (inside,outside) 2xx.xx.xx.xx 192.168.168.2 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2xx.xx.xx.xx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute

hope this helps..
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 3

Expert Comment

by:rickyclourenco
ID: 16670251
Well, you know for SURE that if your VPN connection is working with the other company, that the internet IS working, otherwise the VPN connection would be down....

Maybe I'm wrong, but I don't see any access-lists for traffic going OUTBOUND....

try putting in something like

access-list permit INSIDE_ACCESS_OUT ip 192.168.x.x 255.255.255.0 any
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16670294
I'm not seeing a nat statement to correspond to the global (outside) 1 interface
add
nat (inside) 1 0 0
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16670310
you don't need any going inside out
by default there is an implicit acl stating all traffic from higher security int to lower security is allowed
so unless you actually want to deny traffic from inside to out don't apply an acl to the inside interface
0
 
LVL 3

Expert Comment

by:rickyclourenco
ID: 16670312
I don't recommend keeping that line, but that will let you test whether its an access list issue.....essentially allowing all traffic outbound to all locations...if that works, then you can start refining the access-lists to the protocols you want to allow outbound
0
 
LVL 2

Author Comment

by:learn2earn
ID: 16670365
I got this error message when trying to add

"access-list permit INSIDE_ACCESS_OUT ip 192.168.x.x 255.255.255.0 any"

ERROR:<inside_access_out> not a valid permission
Usage:  [no] access-list compiled

The internet is up and working but the pix506 can not resolve and IP Addresses.

I use this DNS 216.99.233.253 on the Host computer.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16670392
learn2earn you already have no acl applied to the inside interface so all outbound traffic is already accepted.  however if you insist on putting it in, do this
access-list inside-access-out permit ip 192.168.x.x 255.255.255.0 any
access-group inside-access-out in interface inside
0
 
LVL 1

Expert Comment

by:redgun
ID: 16674410
just put nat line as cyclops3590 suggests
0
 
LVL 2

Author Comment

by:learn2earn
ID: 16699606
There was an access list defined on the inside interface. It was blocking essential traffic. And second, there was a static address translation statement on the Pix515 firewall that conflicted with the host address of the machine behind the 506e firewall. We removed that entry and waited for the ARP cache to clear on the Internet router. Looks like that did the trick.
0
 
LVL 3

Expert Comment

by:rickyclourenco
ID: 16699632
who gets the points?
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 360 total points
ID: 16699949
where was the access-group line for the inside interface on the config you posted then?
also, where did this 515 come in?
0
 
LVL 2

Author Comment

by:learn2earn
ID: 16705384
we have a switch that is unmanaged that the Pix506e is sharing with the Pix515.

An Outside vendor manages the 515 and I am sure they may have added a line.

Come to think of if they were in our office a day before to implement and Cisco IPS
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question