ricardosanchezquirch
asked on
Cisco PIX 506e Internet Route? NAt? HELP!!!!
Hi, Just aquired Cisco Pix506e for an industrial application...
I am no IT expert, I NEED HELP!
I set up VPN, pinging, split tunnel and everything is working fine the only thing i need now to finish this project is getting the Network on the Inside internet access, i am not even sure is the pic can act as a router? canthis be done?:
heres topolgy: inside----switch-----cisco
PLease Help me out? i set up rules to alow access but nothing i think it may be NAT but am not sure, all inside clients are set to static:
ip: 192.168.10.x/24
gw: 192.168.10.1
dns: 192.168.10.1
where pix is: 192.168.10.1
pix is getting ip on oustide int via dhcp: 10.0.0.76/24
Heres my Config:::
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XCXu9VvUtWzg.grr encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list company_splitTunnelAcl permit ip host 0.0.0.0 any
access-list company_splitTunnelAcl permit ip 192.168.10.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip any 192.168.10.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.192 255.255.255.192
access-list inside_access_in permit ip any any
access-list inside_access_in permit tcp 192.168.10.0 255.255.255.0 any
access-list inside_access_in permit ip 192.168.10.0 255.255.255.0 any
access-list outside_access_in remark Outside to Inside all
access-list outside_access_in permit tcp any any
pager lines 24
logging history informational
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool companyVpn 192.168.10.200-192.168.10.
pdm location 192.168.10.10 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 255.255.255.255 outside
http 192.168.10.0 255.255.255.0 inside
snmp-server host inside 192.168.10.10
no snmp-server location
snmp-server contact Administrator
snmp-server community password
snmp-server enable traps
tftp-server inside 192.168.10.10 /firewall
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup company address-pool companyVpn
vpngroup company dns-server 192.168.10.1
vpngroup company wins-server 192.168.10.1
vpngroup company default-domain OOM
vpngroup company split-tunnel company_splitTunnelAcl
vpngroup company idle-time 1800
vpngroup company password ********
telnet timeout 5
ssh 0.0.0.0 255.255.255.255 outside
ssh 0.0.0.0 255.255.255.255 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn enable outside
dhcpd address 192.168.10.2-192.168.10.25
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username administrator password yCeBw7hwWikHoR.u encrypted privilege 15
terminal width 80
banner login Welcome To company Oilfield and Marine Secure firewall...
Cryptochecksum:2d9deb2751c
: end
[OK]
THANK YOU VERY MUCH!!!!!!
I am no IT expert, I NEED HELP!
I set up VPN, pinging, split tunnel and everything is working fine the only thing i need now to finish this project is getting the Network on the Inside internet access, i am not even sure is the pic can act as a router? canthis be done?:
heres topolgy: inside----switch-----cisco
PLease Help me out? i set up rules to alow access but nothing i think it may be NAT but am not sure, all inside clients are set to static:
ip: 192.168.10.x/24
gw: 192.168.10.1
dns: 192.168.10.1
where pix is: 192.168.10.1
pix is getting ip on oustide int via dhcp: 10.0.0.76/24
Heres my Config:::
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XCXu9VvUtWzg.grr encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list company_splitTunnelAcl permit ip host 0.0.0.0 any
access-list company_splitTunnelAcl permit ip 192.168.10.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip any 192.168.10.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.192 255.255.255.192
access-list inside_access_in permit ip any any
access-list inside_access_in permit tcp 192.168.10.0 255.255.255.0 any
access-list inside_access_in permit ip 192.168.10.0 255.255.255.0 any
access-list outside_access_in remark Outside to Inside all
access-list outside_access_in permit tcp any any
pager lines 24
logging history informational
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool companyVpn 192.168.10.200-192.168.10.
pdm location 192.168.10.10 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 255.255.255.255 outside
http 192.168.10.0 255.255.255.0 inside
snmp-server host inside 192.168.10.10
no snmp-server location
snmp-server contact Administrator
snmp-server community password
snmp-server enable traps
tftp-server inside 192.168.10.10 /firewall
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup company address-pool companyVpn
vpngroup company dns-server 192.168.10.1
vpngroup company wins-server 192.168.10.1
vpngroup company default-domain OOM
vpngroup company split-tunnel company_splitTunnelAcl
vpngroup company idle-time 1800
vpngroup company password ********
telnet timeout 5
ssh 0.0.0.0 255.255.255.255 outside
ssh 0.0.0.0 255.255.255.255 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn enable outside
dhcpd address 192.168.10.2-192.168.10.25
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username administrator password yCeBw7hwWikHoR.u encrypted privilege 15
terminal width 80
banner login Welcome To company Oilfield and Marine Secure firewall...
Cryptochecksum:2d9deb2751c
: end
[OK]
THANK YOU VERY MUCH!!!!!!
ASKER
Thanks lrmoore, i think the lines you're telling me i need are allready in my config?, im not an expert on this subject i chekced my config and its still not working any ideas????
Thank you!
Thank you!
>i chekced my config
Did you make the changes that I suggested?
Can you post output of "show interface" and "show route"
Did you make the changes that I suggested?
Can you post output of "show interface" and "show route"
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Good catch, calvinetter!
ASKER
Guys, Good Catch, but i still cant get outside Access!!!! i have the rule setup and everything seems right but its not working! this is what i have
Internal: 192.168.10.0/24
Pix internal: 192.168.10.1/24
External: 10.0.0.0/24
External Web server: 10.0.0.2/24
I cant ping or browse to this external server or anything for that matter, shoulndt i be able to do this with NAT?
i am lost please help...
Internal: 192.168.10.0/24
Pix internal: 192.168.10.1/24
External: 10.0.0.0/24
External Web server: 10.0.0.2/24
I cant ping or browse to this external server or anything for that matter, shoulndt i be able to do this with NAT?
i am lost please help...
Is this PIX by chance newly-connected to a cable/DSL modem? If so, then power-cycle the cable/DSL device, wait ~3 min after that device has finished rebooting.
If you still can't surf the web from a PC behind the PIX, then as lrmoore said, please show the output of the following:
sh route
sh interface
And also show us the output of the following: sh access-list
cheers
If you still can't surf the web from a PC behind the PIX, then as lrmoore said, please show the output of the following:
sh route
sh interface
And also show us the output of the following: sh access-list
cheers
no access-group outside_access_in in interface outside
no access-group inside_access_in in interface inside
Your NAT is fine. These two lines are all you need
>global (outside) 1 interface
>nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0
>ip address inside 192.168.10.1
Make sure that your internal clients point to this IP as their default gateway
>ip address outside dhcp setroute
Make sure you are actually getting an IP address and default route:
pix#sho interface
pix#sho route
NOTE: do not use "ping" as any kind of test because the replies are blocked by the PIX by default. You can explicitly allow it:
access-list icmp_in permit icmp any any echo-reply
access-list icmp_in permit icmp any any unreachable
access-group icmp_in in interface outside