Solved

pix506e cannot access internet but ppoe is connected.

Posted on 2006-11-13
14
451 Views
Last Modified: 2010-04-10
Hi guys, i've another one for u ;P
It look like now i can't access to the internet.
i can ping goggle from the outside interface , and i received the ip address of my ppoe modem sucessfully.
but i can ping 192.168.1.1 from an inside host, but i cannot access the internet, and my inside interface does not too.
i really need the inside interface to working quick!
The problems seems to be the nat or the routing, but i can't figure it out. maybe something is missing!

Can you help me on that one?

----------------------------------------------------



interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan3 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan3 dmz security50
enable password tvY0zpL7KMQfzjvE encrypted
passwd rZRDoLb0qZMxi2gB encrypted
hostname merciermur
domain-name blehr.qc.ca
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 216.226.59.2 Sirsiservice
name 150.147.1.0 SirsiCorpservice
name 192.168.1.251 Web2
name 192.168.1.250 Unicorn
object-group network Sirsi
  network-object SirsiCorpservice 255.255.255.0
  network-object Sirsiservice 255.255.255.255
object-group network serveurinternes
  network-object Unicorn 255.255.255.255
  network-object Web2 255.255.255.255
object-group service TCP_servicesinternes tcp
  port-object eq www
  port-object range 5100 5101
  port-object eq 210
  port-object eq 2200
  port-object eq 3389
access-list outside_access_in permit tcp object-group Sirsi any
access-list outside_access_in permit tcp any eq 3389 interface outside eq 3389
access-list outside_access_in permit tcp any eq 3388 interface outside eq 3388
access-list outside_access_in permit tcp any eq www interface outside eq www
access-list outside_access_in permit tcp any range 5100 5101 interface outside range 5100 5101
access-list outside_access_in permit tcp any eq 2200 interface outside eq 2200
access-list outside_access_in permit tcp any eq 210 interface outside eq 210
access-list dmz_access_out permit tcp interface outside any eq www
access-list dmz_access_out permit tcp interface outside any eq https
access-list dmz_access_out permit tcp interface outside any eq domain
access-list dmz_access_out permit udp interface outside any eq domain
access-list dmz_access_out permit icmp interface inside any
pager lines 24
mtu outside 1492
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Sirsiservice 255.255.255.255 outside
pdm location SirsiCorpservice 255.255.255.0 outside
pdm location Unicorn 255.255.255.255 inside
pdm location Web2 255.255.255.255 inside
pdm group Sirsi outside
pdm group serveurinternes inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (dmz) 10 192.168.2.0 255.255.255.0 0 0
static (inside,outside) tcp interface 5100 Unicorn 5100 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5101 Unicorn 5101 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www Web2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 2200 Unicorn 2200 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 210 Unicorn 210 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 Unicorn 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3388 Web2 3389 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group dmz_access_out in interface dmz
timeout xlate 3:00:00
timeout conn 6:00:00 half-closed 0:30:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http Sirsiservice 255.255.255.255 outside
http SirsiCorpservice 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh Sirsiservice 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname bibl40@bleh.com
vpdn group pppoe_group ppp authentication pap
vpdn username bibl40@bleh.com password *********
dhcpd address 192.168.1.100-192.168.1.245 inside
dhcpd lease 1048575
dhcpd ping_timeout 750
dhcpd domain blehi.qc.ca
dhcpd auto_config outside
dhcpd enable inside
username sirsiadmin password 73x.i.cVFuIpu8uz encrypted privilege 15
terminal width 80
0
Comment
Question by:dautech
  • 7
  • 7
14 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17936474
Config looks correct to me, have you tried recyling it once ?

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:dautech
ID: 17941398
recyling mean rebooting?

already done. several times.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17943475
hmm.

>>global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (dmz) 10 192.168.2.0 255.255.255.0 0 0

So I guess you're not able to access internet from 192.168.2.x segment ?

add this too;

global (outside) 10 interface

See if that gets you internet

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:dautech
ID: 17943942
i can't access internet from the 192.168.1.0 ..
i've tryed, nothing have changed..



192.168.2.0 is not completly configured yet.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17944162
Can you get the output of;

show ip nat translations

and

show connection ?

Cheers
Rajesh
0
 
LVL 1

Author Comment

by:dautech
ID: 17979075
I've not access to the pix right now.

What should be the good responces for those commands if my config is ok?
0
 
LVL 1

Author Comment

by:dautech
ID: 17985052
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan3 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan3 dmz security50
enable password tvY0zpL7KMQfzjvE encrypted
passwd rZRDoLb0qZMxi2gB encrypted
hostname merciermur
domain-name blehr.qc.ca
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 216.226.59.2 Sirsiservice
name 150.147.1.0 SirsiCorpservice
name 192.168.1.251 Web2
name 192.168.1.250 Unicorn
object-group network Sirsi
  network-object SirsiCorpservice 255.255.255.0
  network-object Sirsiservice 255.255.255.255
object-group network serveurinternes
  network-object Unicorn 255.255.255.255
  network-object Web2 255.255.255.255
object-group service TCP_servicesinternes tcp
  port-object eq www
  port-object range 5100 5101
  port-object eq 210
  port-object eq 2200
  port-object eq 3389
access-list outside_access_in permit tcp object-group Sirsi any
access-list outside_access_in permit tcp any eq 3389 interface outside eq 3389
access-list outside_access_in permit tcp any eq 3388 interface outside eq 3388
access-list outside_access_in permit tcp any eq www interface outside eq www
access-list outside_access_in permit tcp any range 5100 5101 interface outside range 5100 5101
access-list outside_access_in permit tcp any eq 2200 interface outside eq 2200
access-list outside_access_in permit tcp any eq 210 interface outside eq 210
access-list dmz_access_out permit tcp interface outside any eq www
access-list dmz_access_out permit tcp interface outside any eq https
access-list dmz_access_out permit tcp interface outside any eq domain
access-list dmz_access_out permit udp interface outside any eq domain
access-list dmz_access_out permit icmp interface inside any
pager lines 24
mtu outside 1492
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Sirsiservice 255.255.255.255 outside
pdm location SirsiCorpservice 255.255.255.0 outside
pdm location Unicorn 255.255.255.255 inside
pdm location Web2 255.255.255.255 inside
pdm group Sirsi outside
pdm group serveurinternes inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 5100 Unicorn 5100 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5101 Unicorn 5101 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www Web2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 2200 Unicorn 2200 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 210 Unicorn 210 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 Unicorn 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3388 Web2 3389 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group dmz_access_out in interface dmz
timeout xlate 3:00:00
timeout conn 6:00:00 half-closed 0:30:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http Sirsiservice 255.255.255.255 outside
http SirsiCorpservice 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh Sirsiservice 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname bibl40@bleh.com
vpdn group pppoe_group ppp authentication pap
vpdn username bibl40@bleh.com password *********
dhcpd address 192.168.1.100-192.168.1.245 inside
dhcpd address 192.168.2.100-192.168.2.150 dmz
dhcpd lease 1048575
dhcpd ping_timeout 750
dhcpd domain blehi.qc.ca
dhcpd auto_config outside
dhcpd enable inside
dhcpd enable dmz
username sirsiadmin password 73x.i.cVFuIpu8uz encrypted privilege 15
terminal width 80
---------------------------------------------------------------------------------

If fixed it, the nat was wrong.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:dautech
ID: 17985070
This question is closed.

But, now i can't acces internet with the dmz.
i receive dhcp ack and i can ping 192.168.2.1 very well.
But i cannot access the internet.
* but i can in the inside interface
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17985272
>>global (outside) 10 interface

Add the above.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:dautech
ID: 17986500
it gaves me an error, saying that the global is already setup....

do i delete global (outside) 1 interface ?
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 17986862
Either one is not allowed;

Can you try this as below;

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

and see if it allows connection from both inside and dmz segments?

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17986872
I checked out, the above should do okay.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:dautech
ID: 18008284
It worked :D

thank you much!
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18008581
You're welcome.

Cheers,
Rajesh
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now