?
Solved

public interface is not connecting up to the internet - cisco pix 506e

Posted on 2007-03-24
4
Medium Priority
?
260 Views
Last Modified: 2010-04-09
greetings

i have a cisco pix 506e that i have been trying to reconfigure.  the problem is that the public interface is not connecting up to the internet.  i see traffic on the private but not te public, i also have it setup to my local isp, for now, in order to test and configure.  

Private = INT 1
Public = INT 0


below is the running config






PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password wouGb3Kcr8izqdL1 encrypted
passwd lw.hq88l2bR1x9Fp encrypted
hostname PIX
domain-name ciscopix.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 2048
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit ip interface outside interface inside
access-list outside_access_in permit tcp interface outside interface inside
access-list inside_access_in permit ip interface inside interface outside
access-list inside_access_in permit tcp interface inside interface outside
pager lines 24
logging on
logging monitor debugging
logging buffered debugging
logging history emergencies
icmp permit any echo-reply outside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
ip address outside dhcp retry 4
ip address inside 10.5.2.254 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm location 209.164.47.72 255.255.255.255 outside
pdm history enable
arp timeout 14400
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 10.5.2.254 cisco123 timeout 10
aaa-server LOCAL protocol local
http server enable
http 10.5.2.0 255.255.255.0 inside
http 10.5.2.254 255.255.255.255 inside
snmp-server host outside 209.164.47.72
snmp-server location Irvine
snmp-server contact John Kesoglou
snmp-server community vinduvin
snmp-server enable traps
floodguard enable
sysopt radius ignore-secret
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
isakmp identity address
isakmp nat-traversal 20
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.5.2.100-10.5.2.150 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:76577286553efda64231657c4190ef45
: end
[OK]
0
Comment
Question by:johnkesoglou
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 1600 total points
ID: 18787638
acls below are useless.
access-list outside_access_in permit ip interface outside interface inside
access-list outside_access_in permit tcp interface outside interface inside
access-list inside_access_in permit ip interface inside interface outside
access-list inside_access_in permit tcp interface inside interface outside

you have no default route for outside. specify the ip address of your modem/router which provide internet connection. Lets say that your modem/router s ip address is 192.168.1.1. then add the following

route outside 0 0 192.168.1.1

and remove the useless acls bu typing no to their beginning, for example
no access-list inside_access_in permit tcp interface inside interface outside
no access-group inside_access_in in interface inside

dont forget to type
write mem        to save the config and
cl xl                  to re-establish conections with current config
0
 
LVL 29

Assisted Solution

by:Alan Huseyin Kayahan
Alan Huseyin Kayahan earned 1600 total points
ID: 18787644
   or if outside interface is retrieving ip from a dhcp server that the folloing line say it does
ip address outside dhcp retry 4
   then you should type the following for outside int to retriev the gateway automatically
   ip address outside dhcp setroute
0
 
LVL 29

Assisted Solution

by:Alan Huseyin Kayahan
Alan Huseyin Kayahan earned 1600 total points
ID: 18787669
plus, are the inside interface and outside interface in different subnets? if yes, you should do a nat by typng

nat (inside) 1 0 0

then assign a global for NAT (PAT for ex.)
global (outside) 1 interface
0
 
LVL 1

Assisted Solution

by:kkwatai
kkwatai earned 400 total points
ID: 18789396
The first thing we shoudl establish is if the outside interface is working. I would suggest that you give your outside interface a staic iP address and see if you can plug it into a PC with a cross over. Configure the pc with an ip that is in the same subnet and confirm that it can ping each other. If you can't get this going, we have bigger issues.

Assuming that is working, then the next step is to determine if you are getting a proper DHCP address with a proper IP address. Keep in mind that you didn't configure any NATting on the device so you shoudl do all your tests from within the device and not from a PC connected to the outside.

Do a show interface and see if the interface is up and you get an external IP. Also show your routing table and make sure you got a default gateway.
0

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question