Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco PIX 506e Internet Route? NAt? HELP!!!!

Posted on 2006-11-21
7
Medium Priority
?
1,633 Views
Last Modified: 2013-11-16
Hi, Just aquired Cisco Pix506e for an industrial application...
I am no IT expert, I NEED HELP!

I set up VPN, pinging, split tunnel and everything is working fine the only thing i need now to finish this project is getting the Network on the Inside internet access, i am not even sure is the pic can act as a router? canthis be done?:

heres topolgy:  inside----switch-----ciscopix506-----house net with dhcp.

PLease Help me out? i set up rules to alow access but nothing i think it may be NAT but am not sure, all inside clients are set to static:
   ip: 192.168.10.x/24
 gw: 192.168.10.1
dns: 192.168.10.1

where pix is:    192.168.10.1
pix is getting ip on oustide int via dhcp:    10.0.0.76/24

Heres my Config:::

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XCXu9VvUtWzg.grr encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list company_splitTunnelAcl permit ip host 0.0.0.0 any
access-list company_splitTunnelAcl permit ip 192.168.10.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip any 192.168.10.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.192 255.255.255.192
access-list inside_access_in permit ip any any
access-list inside_access_in permit tcp 192.168.10.0 255.255.255.0 any
access-list inside_access_in permit ip 192.168.10.0 255.255.255.0 any
access-list outside_access_in remark Outside to Inside all
access-list outside_access_in permit tcp any any
pager lines 24
logging history informational
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool companyVpn 192.168.10.200-192.168.10.254
pdm location 192.168.10.10 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 255.255.255.255 outside
http 192.168.10.0 255.255.255.0 inside
snmp-server host inside 192.168.10.10
no snmp-server location
snmp-server contact Administrator
snmp-server community password
snmp-server enable traps
tftp-server inside 192.168.10.10 /firewall
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup company address-pool companyVpn
vpngroup company dns-server 192.168.10.1
vpngroup company wins-server 192.168.10.1
vpngroup company default-domain OOM
vpngroup company split-tunnel company_splitTunnelAcl
vpngroup company idle-time 1800
vpngroup company password ********
telnet timeout 5
ssh 0.0.0.0 255.255.255.255 outside
ssh 0.0.0.0 255.255.255.255 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn enable outside
dhcpd address 192.168.10.2-192.168.10.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username administrator password yCeBw7hwWikHoR.u encrypted privilege 15
terminal width 80
banner login Welcome To company Oilfield and Marine Secure firewall...
Cryptochecksum:2d9deb2751c6816947d8cf050417e489
: end
[OK]

THANK YOU VERY MUCH!!!!!!
0
Comment
Question by:ricardosanchezquirch
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 17988926
Remove both access-lists. Neither is required

no access-group outside_access_in in interface outside
no access-group inside_access_in in interface inside

Your NAT is fine. These two lines are all you need
>global (outside) 1 interface
>nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0

>ip address inside 192.168.10.1
Make sure that your internal clients point to this IP as their default gateway

>ip address outside dhcp setroute
Make sure you are actually getting an IP address and default route:
 pix#sho interface
 pix#sho route

NOTE: do not use "ping" as any kind of test because the replies are blocked by the PIX by default. You can explicitly allow it:

access-list icmp_in permit icmp any any echo-reply
access-list icmp_in permit icmp any any unreachable
access-group icmp_in in interface outside


0
 

Author Comment

by:ricardosanchezquirch
ID: 17989429
Thanks lrmoore, i think the lines you're telling me i need are allready in my config?, im not an expert on this subject i chekced my config and its still not working any ideas????

Thank you!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17990178
>i chekced my config
Did you make the changes that I suggested?

Can you post output of "show interface" and "show route"

0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 20

Accepted Solution

by:
calvinetter earned 2000 total points
ID: 17993604
>dns: 192.168.10.1
  That's the problem!  PIX can't act as a DNS proxy/server.  Your PCs on the inside need to point to your ISP's DNS servers.

cheers
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17995160
Good catch, calvinetter!
0
 

Author Comment

by:ricardosanchezquirch
ID: 17996950
Guys, Good Catch, but i still cant get outside Access!!!! i have the rule setup and everything seems right but its not working! this is what i have

Internal: 192.168.10.0/24
Pix internal: 192.168.10.1/24


External: 10.0.0.0/24
External Web server: 10.0.0.2/24

I cant ping or browse to this external server or anything for that matter, shoulndt i be able to do this with NAT?
i am lost please help...
0
 
LVL 20

Expert Comment

by:calvinetter
ID: 18000248
Is this PIX by chance newly-connected to a cable/DSL modem? If so, then power-cycle the cable/DSL device, wait ~3 min after that device has finished rebooting.
  If you still can't surf the web from a PC behind the PIX, then as lrmoore said, please show the output of the following:
  sh route
  sh interface

And also show us the output of the following:   sh access-list

cheers
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question