• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 510
  • Last Modified:

pix506e cannot access internet but ppoe is connected.

Hi guys, i've another one for u ;P
It look like now i can't access to the internet.
i can ping goggle from the outside interface , and i received the ip address of my ppoe modem sucessfully.
but i can ping 192.168.1.1 from an inside host, but i cannot access the internet, and my inside interface does not too.
i really need the inside interface to working quick!
The problems seems to be the nat or the routing, but i can't figure it out. maybe something is missing!

Can you help me on that one?

----------------------------------------------------



interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan3 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan3 dmz security50
enable password tvY0zpL7KMQfzjvE encrypted
passwd rZRDoLb0qZMxi2gB encrypted
hostname merciermur
domain-name blehr.qc.ca
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 216.226.59.2 Sirsiservice
name 150.147.1.0 SirsiCorpservice
name 192.168.1.251 Web2
name 192.168.1.250 Unicorn
object-group network Sirsi
  network-object SirsiCorpservice 255.255.255.0
  network-object Sirsiservice 255.255.255.255
object-group network serveurinternes
  network-object Unicorn 255.255.255.255
  network-object Web2 255.255.255.255
object-group service TCP_servicesinternes tcp
  port-object eq www
  port-object range 5100 5101
  port-object eq 210
  port-object eq 2200
  port-object eq 3389
access-list outside_access_in permit tcp object-group Sirsi any
access-list outside_access_in permit tcp any eq 3389 interface outside eq 3389
access-list outside_access_in permit tcp any eq 3388 interface outside eq 3388
access-list outside_access_in permit tcp any eq www interface outside eq www
access-list outside_access_in permit tcp any range 5100 5101 interface outside range 5100 5101
access-list outside_access_in permit tcp any eq 2200 interface outside eq 2200
access-list outside_access_in permit tcp any eq 210 interface outside eq 210
access-list dmz_access_out permit tcp interface outside any eq www
access-list dmz_access_out permit tcp interface outside any eq https
access-list dmz_access_out permit tcp interface outside any eq domain
access-list dmz_access_out permit udp interface outside any eq domain
access-list dmz_access_out permit icmp interface inside any
pager lines 24
mtu outside 1492
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Sirsiservice 255.255.255.255 outside
pdm location SirsiCorpservice 255.255.255.0 outside
pdm location Unicorn 255.255.255.255 inside
pdm location Web2 255.255.255.255 inside
pdm group Sirsi outside
pdm group serveurinternes inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (dmz) 10 192.168.2.0 255.255.255.0 0 0
static (inside,outside) tcp interface 5100 Unicorn 5100 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5101 Unicorn 5101 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www Web2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 2200 Unicorn 2200 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 210 Unicorn 210 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 Unicorn 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3388 Web2 3389 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group dmz_access_out in interface dmz
timeout xlate 3:00:00
timeout conn 6:00:00 half-closed 0:30:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http Sirsiservice 255.255.255.255 outside
http SirsiCorpservice 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh Sirsiservice 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname bibl40@bleh.com
vpdn group pppoe_group ppp authentication pap
vpdn username bibl40@bleh.com password *********
dhcpd address 192.168.1.100-192.168.1.245 inside
dhcpd lease 1048575
dhcpd ping_timeout 750
dhcpd domain blehi.qc.ca
dhcpd auto_config outside
dhcpd enable inside
username sirsiadmin password 73x.i.cVFuIpu8uz encrypted privilege 15
terminal width 80
0
dautech
Asked:
dautech
  • 7
  • 7
1 Solution
 
rsivanandanCommented:
Config looks correct to me, have you tried recyling it once ?

Cheers,
Rajesh
0
 
dautechAuthor Commented:
recyling mean rebooting?

already done. several times.
0
 
rsivanandanCommented:
hmm.

>>global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (dmz) 10 192.168.2.0 255.255.255.0 0 0

So I guess you're not able to access internet from 192.168.2.x segment ?

add this too;

global (outside) 10 interface

See if that gets you internet

Cheers,
Rajesh
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
dautechAuthor Commented:
i can't access internet from the 192.168.1.0 ..
i've tryed, nothing have changed..



192.168.2.0 is not completly configured yet.
0
 
rsivanandanCommented:
Can you get the output of;

show ip nat translations

and

show connection ?

Cheers
Rajesh
0
 
dautechAuthor Commented:
I've not access to the pix right now.

What should be the good responces for those commands if my config is ok?
0
 
dautechAuthor Commented:
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan3 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan3 dmz security50
enable password tvY0zpL7KMQfzjvE encrypted
passwd rZRDoLb0qZMxi2gB encrypted
hostname merciermur
domain-name blehr.qc.ca
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 216.226.59.2 Sirsiservice
name 150.147.1.0 SirsiCorpservice
name 192.168.1.251 Web2
name 192.168.1.250 Unicorn
object-group network Sirsi
  network-object SirsiCorpservice 255.255.255.0
  network-object Sirsiservice 255.255.255.255
object-group network serveurinternes
  network-object Unicorn 255.255.255.255
  network-object Web2 255.255.255.255
object-group service TCP_servicesinternes tcp
  port-object eq www
  port-object range 5100 5101
  port-object eq 210
  port-object eq 2200
  port-object eq 3389
access-list outside_access_in permit tcp object-group Sirsi any
access-list outside_access_in permit tcp any eq 3389 interface outside eq 3389
access-list outside_access_in permit tcp any eq 3388 interface outside eq 3388
access-list outside_access_in permit tcp any eq www interface outside eq www
access-list outside_access_in permit tcp any range 5100 5101 interface outside range 5100 5101
access-list outside_access_in permit tcp any eq 2200 interface outside eq 2200
access-list outside_access_in permit tcp any eq 210 interface outside eq 210
access-list dmz_access_out permit tcp interface outside any eq www
access-list dmz_access_out permit tcp interface outside any eq https
access-list dmz_access_out permit tcp interface outside any eq domain
access-list dmz_access_out permit udp interface outside any eq domain
access-list dmz_access_out permit icmp interface inside any
pager lines 24
mtu outside 1492
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Sirsiservice 255.255.255.255 outside
pdm location SirsiCorpservice 255.255.255.0 outside
pdm location Unicorn 255.255.255.255 inside
pdm location Web2 255.255.255.255 inside
pdm group Sirsi outside
pdm group serveurinternes inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 5100 Unicorn 5100 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5101 Unicorn 5101 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www Web2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 2200 Unicorn 2200 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 210 Unicorn 210 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 Unicorn 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3388 Web2 3389 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group dmz_access_out in interface dmz
timeout xlate 3:00:00
timeout conn 6:00:00 half-closed 0:30:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http Sirsiservice 255.255.255.255 outside
http SirsiCorpservice 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh Sirsiservice 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname bibl40@bleh.com
vpdn group pppoe_group ppp authentication pap
vpdn username bibl40@bleh.com password *********
dhcpd address 192.168.1.100-192.168.1.245 inside
dhcpd address 192.168.2.100-192.168.2.150 dmz
dhcpd lease 1048575
dhcpd ping_timeout 750
dhcpd domain blehi.qc.ca
dhcpd auto_config outside
dhcpd enable inside
dhcpd enable dmz
username sirsiadmin password 73x.i.cVFuIpu8uz encrypted privilege 15
terminal width 80
---------------------------------------------------------------------------------

If fixed it, the nat was wrong.
0
 
dautechAuthor Commented:
This question is closed.

But, now i can't acces internet with the dmz.
i receive dhcp ack and i can ping 192.168.2.1 very well.
But i cannot access the internet.
* but i can in the inside interface
0
 
rsivanandanCommented:
>>global (outside) 10 interface

Add the above.

Cheers,
Rajesh
0
 
dautechAuthor Commented:
it gaves me an error, saying that the global is already setup....

do i delete global (outside) 1 interface ?
0
 
rsivanandanCommented:
Either one is not allowed;

Can you try this as below;

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

and see if it allows connection from both inside and dmz segments?

Cheers,
Rajesh
0
 
rsivanandanCommented:
I checked out, the above should do okay.

Cheers,
Rajesh
0
 
dautechAuthor Commented:
It worked :D

thank you much!
0
 
rsivanandanCommented:
You're welcome.

Cheers,
Rajesh
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now