Solved

Cisco PIX 506e Internet Route? NAt? HELP!!!!

Posted on 2006-11-21
7
1,626 Views
Last Modified: 2013-11-16
Hi, Just aquired Cisco Pix506e for an industrial application...
I am no IT expert, I NEED HELP!

I set up VPN, pinging, split tunnel and everything is working fine the only thing i need now to finish this project is getting the Network on the Inside internet access, i am not even sure is the pic can act as a router? canthis be done?:

heres topolgy:  inside----switch-----ciscopix506-----house net with dhcp.

PLease Help me out? i set up rules to alow access but nothing i think it may be NAT but am not sure, all inside clients are set to static:
   ip: 192.168.10.x/24
 gw: 192.168.10.1
dns: 192.168.10.1

where pix is:    192.168.10.1
pix is getting ip on oustide int via dhcp:    10.0.0.76/24

Heres my Config:::

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XCXu9VvUtWzg.grr encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list company_splitTunnelAcl permit ip host 0.0.0.0 any
access-list company_splitTunnelAcl permit ip 192.168.10.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip any 192.168.10.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.192 255.255.255.192
access-list inside_access_in permit ip any any
access-list inside_access_in permit tcp 192.168.10.0 255.255.255.0 any
access-list inside_access_in permit ip 192.168.10.0 255.255.255.0 any
access-list outside_access_in remark Outside to Inside all
access-list outside_access_in permit tcp any any
pager lines 24
logging history informational
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool companyVpn 192.168.10.200-192.168.10.254
pdm location 192.168.10.10 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 255.255.255.255 outside
http 192.168.10.0 255.255.255.0 inside
snmp-server host inside 192.168.10.10
no snmp-server location
snmp-server contact Administrator
snmp-server community password
snmp-server enable traps
tftp-server inside 192.168.10.10 /firewall
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup company address-pool companyVpn
vpngroup company dns-server 192.168.10.1
vpngroup company wins-server 192.168.10.1
vpngroup company default-domain OOM
vpngroup company split-tunnel company_splitTunnelAcl
vpngroup company idle-time 1800
vpngroup company password ********
telnet timeout 5
ssh 0.0.0.0 255.255.255.255 outside
ssh 0.0.0.0 255.255.255.255 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn enable outside
dhcpd address 192.168.10.2-192.168.10.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username administrator password yCeBw7hwWikHoR.u encrypted privilege 15
terminal width 80
banner login Welcome To company Oilfield and Marine Secure firewall...
Cryptochecksum:2d9deb2751c6816947d8cf050417e489
: end
[OK]

THANK YOU VERY MUCH!!!!!!
0
Comment
Question by:ricardosanchezquirch
  • 3
  • 2
  • 2
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Remove both access-lists. Neither is required

no access-group outside_access_in in interface outside
no access-group inside_access_in in interface inside

Your NAT is fine. These two lines are all you need
>global (outside) 1 interface
>nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0

>ip address inside 192.168.10.1
Make sure that your internal clients point to this IP as their default gateway

>ip address outside dhcp setroute
Make sure you are actually getting an IP address and default route:
 pix#sho interface
 pix#sho route

NOTE: do not use "ping" as any kind of test because the replies are blocked by the PIX by default. You can explicitly allow it:

access-list icmp_in permit icmp any any echo-reply
access-list icmp_in permit icmp any any unreachable
access-group icmp_in in interface outside


0
 

Author Comment

by:ricardosanchezquirch
Comment Utility
Thanks lrmoore, i think the lines you're telling me i need are allready in my config?, im not an expert on this subject i chekced my config and its still not working any ideas????

Thank you!
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>i chekced my config
Did you make the changes that I suggested?

Can you post output of "show interface" and "show route"

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 20

Accepted Solution

by:
calvinetter earned 500 total points
Comment Utility
>dns: 192.168.10.1
  That's the problem!  PIX can't act as a DNS proxy/server.  Your PCs on the inside need to point to your ISP's DNS servers.

cheers
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Good catch, calvinetter!
0
 

Author Comment

by:ricardosanchezquirch
Comment Utility
Guys, Good Catch, but i still cant get outside Access!!!! i have the rule setup and everything seems right but its not working! this is what i have

Internal: 192.168.10.0/24
Pix internal: 192.168.10.1/24


External: 10.0.0.0/24
External Web server: 10.0.0.2/24

I cant ping or browse to this external server or anything for that matter, shoulndt i be able to do this with NAT?
i am lost please help...
0
 
LVL 20

Expert Comment

by:calvinetter
Comment Utility
Is this PIX by chance newly-connected to a cable/DSL modem? If so, then power-cycle the cable/DSL device, wait ~3 min after that device has finished rebooting.
  If you still can't surf the web from a PC behind the PIX, then as lrmoore said, please show the output of the following:
  sh route
  sh interface

And also show us the output of the following:   sh access-list

cheers
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now