Solved

public interface is not connecting up to the internet - cisco pix 506e

Posted on 2007-03-24
4
250 Views
Last Modified: 2010-04-09
greetings

i have a cisco pix 506e that i have been trying to reconfigure.  the problem is that the public interface is not connecting up to the internet.  i see traffic on the private but not te public, i also have it setup to my local isp, for now, in order to test and configure.  

Private = INT 1
Public = INT 0


below is the running config






PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password wouGb3Kcr8izqdL1 encrypted
passwd lw.hq88l2bR1x9Fp encrypted
hostname PIX
domain-name ciscopix.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 2048
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit ip interface outside interface inside
access-list outside_access_in permit tcp interface outside interface inside
access-list inside_access_in permit ip interface inside interface outside
access-list inside_access_in permit tcp interface inside interface outside
pager lines 24
logging on
logging monitor debugging
logging buffered debugging
logging history emergencies
icmp permit any echo-reply outside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
ip address outside dhcp retry 4
ip address inside 10.5.2.254 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm location 209.164.47.72 255.255.255.255 outside
pdm history enable
arp timeout 14400
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 10.5.2.254 cisco123 timeout 10
aaa-server LOCAL protocol local
http server enable
http 10.5.2.0 255.255.255.0 inside
http 10.5.2.254 255.255.255.255 inside
snmp-server host outside 209.164.47.72
snmp-server location Irvine
snmp-server contact John Kesoglou
snmp-server community vinduvin
snmp-server enable traps
floodguard enable
sysopt radius ignore-secret
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
isakmp identity address
isakmp nat-traversal 20
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.5.2.100-10.5.2.150 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:76577286553efda64231657c4190ef45
: end
[OK]
0
Comment
Question by:johnkesoglou
  • 3
4 Comments
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 400 total points
ID: 18787638
acls below are useless.
access-list outside_access_in permit ip interface outside interface inside
access-list outside_access_in permit tcp interface outside interface inside
access-list inside_access_in permit ip interface inside interface outside
access-list inside_access_in permit tcp interface inside interface outside

you have no default route for outside. specify the ip address of your modem/router which provide internet connection. Lets say that your modem/router s ip address is 192.168.1.1. then add the following

route outside 0 0 192.168.1.1

and remove the useless acls bu typing no to their beginning, for example
no access-list inside_access_in permit tcp interface inside interface outside
no access-group inside_access_in in interface inside

dont forget to type
write mem        to save the config and
cl xl                  to re-establish conections with current config
0
 
LVL 29

Assisted Solution

by:Alan Huseyin Kayahan
Alan Huseyin Kayahan earned 400 total points
ID: 18787644
   or if outside interface is retrieving ip from a dhcp server that the folloing line say it does
ip address outside dhcp retry 4
   then you should type the following for outside int to retriev the gateway automatically
   ip address outside dhcp setroute
0
 
LVL 29

Assisted Solution

by:Alan Huseyin Kayahan
Alan Huseyin Kayahan earned 400 total points
ID: 18787669
plus, are the inside interface and outside interface in different subnets? if yes, you should do a nat by typng

nat (inside) 1 0 0

then assign a global for NAT (PAT for ex.)
global (outside) 1 interface
0
 
LVL 1

Assisted Solution

by:kkwatai
kkwatai earned 100 total points
ID: 18789396
The first thing we shoudl establish is if the outside interface is working. I would suggest that you give your outside interface a staic iP address and see if you can plug it into a PC with a cross over. Configure the pc with an ip that is in the same subnet and confirm that it can ping each other. If you can't get this going, we have bigger issues.

Assuming that is working, then the next step is to determine if you are getting a proper DHCP address with a proper IP address. Keep in mind that you didn't configure any NATting on the device so you shoudl do all your tests from within the device and not from a PC connected to the outside.

Do a show interface and see if the interface is up and you get an external IP. Also show your routing table and make sure you got a default gateway.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Configuring EIGRP with neighbor command 25 44
Cisco NBAR 6 17
stacking Catalyst 3650 11 11
Access List 4 13
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now