Solved

connecting server direct to pix 525 (internet not working on server)

Posted on 2007-03-29
28
832 Views
Last Modified: 2008-01-09
hi
i have problem in my network i want to connect my server direct to my pix 525 then to router
this is my network digram
                                                        router IP X.X.X.X
                                                        outside pix X1.X1.X1.X1
                                                        inside pix 172.16.100.1
                                                        server IP 172.16.100.4

router----> pix 525---->server (router is cisco 2800)
i made static nat in pix to refer to my NIC IP
i use this command
X.X.X.X = public ip of router
X1.X1.X1.X1=public ip  inside pix
X2.X2.X2.X2= public ip for (in server)


static (inside,outside) X2.X2.X2.X2  172.16.100.4 netmask 255.255.255.255 0 0

and then made access list to open port

access-list OutsideIn permit tcp any host X.X.X.X eq www                                                            
access-list OutsideIn permit tcp any host X.X.X.X eq smtp                                                            
access-list OutsideIn permit tcp any host X.X.X.X eq ftp                                                            
access-list OutsideIn permit tcp any host X.X.X.X eq telnet                                                              
access-list OutsideIn permit tcp any host X.X.X.X eq 3389                                                            
access-list OutsideIn permit tcp any host X.X.X.X eq 69                                                          
access-list OutsideIn permit tcp any host X.X.X.X eq ssh  
access-group OutsideIn in interface outside

NIC in my server configuration
IP 172.16.100.4
mask 255.255.255.0
gateaway 172.16.100.1
DNS 62.68.95.11 (external dns)
DNS2 62.68.64.11  (external dns)

but internet not work in my server
------------------------------------------------------------------------------
this is configuration of router

interface GigabitEthernet0/0                            
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$                                                      
 ip address 62.68.65.1 255.255.255.192                                      
 ip wccp web-cache redirect out                              
 duplex auto            
 speed auto          
!
interface GigabitEthernet0/1                            
 ip address 192.168.0.1 255.255.255.0                                    
 duplex auto            
 speed auto          
!
interface Serial0/0/0                    
 ip address 172.16.197.2 255.255.255.0                                      
 no ip route-cache cef                      
 no ip route-cache                  
 no ip mroute-cache                  
 load-interval 30                
 no keepalive            
 no fair-queue              
 ignore dcd          
 no cdp enable              
!
interface Content-Engine1/0                          
 ip unnumbered GigabitEthernet0/0                                
 service-module ip address 62.68.65.2 255.255.255.192                                                    
 service-module ip default-gateway 62.68.65.1                                            
!
ip default-gateway 172.16.197.2                              
ip classless            
ip route 0.0.0.0 0.0.0.0 172.16.197.1                                    
ip route 62.68.65.2 255.255.255.255 Content-Engine1/0                                                    
!
!
ip http server              
ip http authentication local                            
ip http secure-server                    
ip http timeout-policy idle 5 life 86400 requests 10000                                                      

--------------------------------------------------------------------------------
confguration of pix

PIX Version 6.3(5)                  
interface ethernet0 auto                        
interface ethernet1 auto                        
interface gb-ethernet0 1000auto shutdown                                        
interface gb-ethernet1 1000auto shutdown                                        
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
nameif gb-ethernet0 intf2 security4                                  
nameif gb-ethernet1 intf3 s                        
domain-name Cisco                
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names    
access-list acl_out permit icmp any any                                      
access-list inside_outbound_nat0_acl permit ip any 172.16.2.96 255.255.255.240                                                                              
access-list OutsideIn permit tcp any host 62.68.65.43 eq www                                                            
access-list OutsideIn permit tcp any host 62.68.65.43 eq smtp                                                            
access-list OutsideIn permit tcp any host 62.68.65.43 eq ftp                                                            
access-list OutsideIn permit tcp any host 62.68.65.43 eq telnet                                                              
access-list OutsideIn permit tcp any host 62.68.65.43 eq 3389                                                            
access-list OutsideIn permit tcp any host 62.68.65.43 eq 69                                                          
access-list OutsideIn permit tcp any host 62.68.65.43 eq ssh                                                            
                                                       
                                                         
pager lines 24              
mtu outside 1500                
mtu inside 1500              
mtu intf2 1500              
mtu intf3 1500              
ip address outside 62.68.65.3 255.255.255.192                                            
ip address inside 172.16.100.2 255.255.255.0                                            
no ip address intf2                  
no ip address intf3                  
ip audit info action alarm                          
ip audit attack action alarm                            
no failover          
failover timeout 0:00:00                        
failover poll 15                
no failover ip addr                
no failover ip address inside                            
no failover ip address intf2                            
no failover ip address intf3                            
pdm location 172.16.2.70 255.255.255.255 inside                                              
pdm location 172.16.2.200 255.255.255.255 inside                                                
pdm location 172.16.2.0 255.255.255.0 inside                                            
pdm location 172.16.3.0 255.255.255.0 inside                                            
pdm location 172.16.4.0 255.255.255.0 inside                                            
pdm location 172.16.5.0 255.255.255.0 inside                                            
pdm location 172.16.6.0 255.255.255.0 inside                                            
pdm location 172.16.7.0 255.255.255.0 inside                                            
pdm location 172.16.8.0 255.255.255.0 inside                                            
pdm location 172.16.9.0 255.255.255.0 inside                                            
pdm location 172.16.10.0 255.255.255.0 inside                                            
pdm location 172.16.11.0 255.255.255.0 inside                                            
pdm location 172.16.12.0 255.255.255.0 inside                                            
pdm location 172.16.13.0 255.255.255.0 inside                                            
pdm location 172.16.14.0 255.255.255.0 inside                                            
pdm location 172.16.20.0 255.255.255.0 inside                                            
pdm location 172.16.30.0 255.255.255.0 inside                                            
pdm location 172.16.40.0 255.255.255.0 inside                                            
pdm location 172.16.50.0 255.255.255.0 inside                                            
pdm location 172.16.110.2 255.255.255.255 inside                                                
pdm location 172.16.120.2 255.255.255.255 inside                                                
pdm location 62.68.65.43 255.255.255.255 outside                                                
pdm location 62.68.65.44 255.255.255.255 outside                                                
pdm location 172.16.2.96 255.255.255.240 outside                                                
pdm history enable                  
arp timeout 14400                
global (outside) 1 62.68.65.4-62.68.65.42                                        
global (outside) 1 62.68.65.60                              
nat (inside) 0 access-list inside_outbound_nat0_acl                                                  
nat (inside) 1 172.16.2.0 255.255.255.0 0 0                                          
nat (inside) 1 172.16.3.0 255.255.255.0 0 0                                          
nat (inside) 1 172.16.4.0 255.255.255.0 0 0                                          
nat (inside) 1 172.16.5.0 25                          
nat (inside) 1 172.16.6.0 255.255.255.0 0 0                                          
nat (inside) 1 172.16.7.0 255.255.255.0 0 0                                          
nat (inside) 1 172.16.8.0 255.255.255.0 0 0                                          
nat (inside) 1 172.16.9.0 255.255.255.0 0 0                                          
nat (inside) 1 172.16.10.0 255.255.255.0 0 0                                            
nat (inside) 1 172.16.11.0 255.255.255.0 0 0                                            
nat (inside) 1 172.16.12.0 255.255.255.0 0 0                                            
nat (inside) 1 172.16.13.0 255.255.255.0 0 0                                            
nat (inside) 1 172.16.14.0 255.255.255.0 0 0                                            
nat (inside) 1 172.16.20.0 255.255.255.0 0 0                                            
nat (inside) 1 172.16.30.0 255.255.255.0 0 0                                            
nat (inside) 1 172.16.40.0                          
nat (inside) 1 172.16.100.0 255.255.255.0 0 0                                            
static (inside,outside) 62.68.65.43 172.16.110.2 netmask 255.255.255.255 0 0                                                                                                          
static (outside,inside) 172.16.110.2 62.68.65.43 netmask 255.255.255.255 0 0                                                                            
static (inside,outside) 62.68.65.44 172.16.120.2 netmask 255.255.255.255 0 0                                                                            
static (outside,inside) 172.16.120.2 62.68.65.44 netmask 255.255.255.255 0 0                                                                            
static (inside,outside) 62.68.65.50 172.16.14.130 netmask 255.255.255.255 0 0                                                                            
static (inside,outside) 62.68.65.51 172.16.2.7 netmask 255.255.255.255 0 0                                                                          
static (inside,outside) 62.68.65.52 172.16.2.6 netmask 255.255.255.255 0 0                                                                          
access-group OutsideIn in interface outside                                          
conduit permit icmp any any                          
conduit permit tcp host 62.68.65.43 eq www any                                              
conduit permit tcp host 62.68.65.44 eq www any                                              
conduit permit tcp host 62.68.65.44 eq pop3 any                                              
conduit permit tcp host 62.68.65.44 eq imap4 any                                                
conduit permit tcp host 62.68.65.44 eq smtp any                                              
rip inside passive version 1                            
route outside 0.0.0.0 0.0.0.0 62.68.65.1 1                                          
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout sip-disconnect 0:02:00 sip-invite 0:03:00                                                
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ deadtime 10                              
aaa-server RADIUS protocol radius                                
aaa-server RADIUS max-failed-attempts 3                                      
aaa-server RADIUS deadtime 10                            
aaa-server LOCAL protocol local                              
http server enable                  
http 172.16.2.70 255.255.255.255                              
http 172.16.2.200 255.255.255.255 inside
http 172.16.130.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet 172.16.100.0 255.255.255.0 inside
telnet 172.16.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username nasem password *********
dhcpd address 172.16.100.50-172.16.100.225 inside
dhcpd dns 172.16.2.5
dhcpd lease 6000
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:c5cd988ba9cd16ce0bf9a83b9a95afb9

thanks
0
Comment
Question by:nasemabdullaa
  • 13
  • 11
  • 2
28 Comments
 
LVL 3

Assisted Solution

by:daocs
daocs earned 100 total points
ID: 18815713
Hello Nasemabdullaa,

Well the first thing I do in a problem like this is to work from the outside in.  From inside your rotuer can you ping an outside address?  Work your way in and see where the problem breaks down.

The first thing I see is this:
You said this is your server setup:
NIC in my server configuration
IP 172.16.100.4
mask 255.255.255.0
gateaway 172.16.100.1 <--
DNS 62.68.95.11 (external dns)
DNS2 62.68.64.11  (external dns)

The gateway you say is .1 but your pix inside address is this:
ip address inside 172.16.100.2 255.255.255.0

Also it looks like you might have configured this with the PDM or Web access?  The config could use some cleaning up.  First thing is to get to the internet and then you can fine tune your ACLs and other stuff.  I would take out all of your static statements and Nat 1's and see where this gets you.  Once you have internet connection start adding one static statement back in so you can open the www and other ports for this server. (I'm assuming you want people on the outside to get to this server?)

Let me know how that goes for you.

0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18815783
Also remove the conduit commands, as they are not supported for use with the access-lists.

Remove the static (outside,inside) commands, they are not correct, the static (inside,outside) takes care of the reverse path.
0
 

Author Comment

by:nasemabdullaa
ID: 18816594
hi
thanks for your reply
>>>From inside your rotuer can you ping an outside address
yes in my network now the internet work without server but i want to add server to work as ISA server (now iam not install ISA the server only contain windows 2003 server) therefore i want to change the configuration ( when iam remove the server the internet work but when i add the server the internet not work)

i change the NIC gateaway to 172.16.100.2 but the internet still not work

>>>I'm assuming you want people on the outside to get to this server
no i want to add this server to work as ISA server but now iam not install the ISA server now i want to made the server work with internet and then install ISA

>>>Also remove the conduit commands, as they are not supported for use with the access-lists
iam remove all conduit commands

>>>Remove the static (outside,inside) commands, they are not correct
i remove all static (outside,inside) commands
i uae this command in pix for nat
static (inside,outside) X2.X2.X2.X2  172.16.100.4 netmask 255.255.255.255 0 0

but the internet still not work
can you help me please

thanks




0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18816660
please post current config
0
 

Author Comment

by:nasemabdullaa
ID: 18816796
hi
thanks for your reply
X2.X2.X2.X2=62.68.65.43
confguration of pix

PIX Version 6.3(5)                  
interface ethernet0 auto                        
interface ethernet1 auto                        
interface gb-ethernet0 1000auto shutdown                                        
interface gb-ethernet1 1000auto shutdown                                        
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
nameif gb-ethernet0 intf2 security4                                  
nameif gb-ethernet1 intf3 s                        
domain-name Cisco                
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names    
access-list acl_out permit icmp any any                                      
access-list inside_outbound_nat0_acl permit ip any 172.16.2.96 255.255.255.240                                                                              
access-list OutsideIn permit tcp any host 62.68.65.43 eq www                                                          
access-list OutsideIn permit tcp any host 62.68.65.43 eq smtp                                                            
access-list OutsideIn permit tcp any host 62.68.65.43 eq ftp                                                            
access-list OutsideIn permit tcp any host 62.68.65.43 eq telnet                                                              
access-list OutsideIn permit tcp any host 62.68.65.43 eq 3389                                                            
access-list OutsideIn permit tcp any host 62.68.65.43 eq 69                                                          
access-list OutsideIn permit tcp any host 62.68.65.43 eq ssh                                                            
                                                       
                                                         
pager lines 24              
mtu outside 1500                
mtu inside 1500              
mtu intf2 1500              
mtu intf3 1500              
ip address outside 62.68.65.3 255.255.255.192                                            
ip address inside 172.16.100.2 255.255.255.0                                            
no ip address intf2                  
no ip address intf3                  
ip audit info action alarm                          
ip audit attack action alarm                            
no failover          
failover timeout 0:00:00                        
failover poll 15                
no failover ip addr                
no failover ip address inside                            
no failover ip address intf2                            
no failover ip address intf3                            
pdm location 172.16.2.70 255.255.255.255 inside                                              
pdm location 172.16.2.200 255.255.255.255 inside                                                
pdm location 172.16.2.0 255.255.255.0 inside                                            
pdm location 172.16.3.0 255.255.255.0 inside                                            
pdm location 172.16.4.0 255.255.255.0 inside                                            
pdm location 172.16.5.0 255.255.255.0 inside                                            
pdm location 172.16.6.0 255.255.255.0 inside                                            
pdm location 172.16.7.0 255.255.255.0 inside                                            
pdm location 172.16.8.0 255.255.255.0 inside                                            
pdm location 172.16.9.0 255.255.255.0 inside                                            
pdm location 172.16.10.0 255.255.255.0 inside                                            
pdm location 172.16.11.0 255.255.255.0 inside                                            
pdm location 172.16.12.0 255.255.255.0 inside                                            
pdm location 172.16.13.0 255.255.255.0 inside                                            
pdm location 172.16.14.0 255.255.255.0 inside                                            
pdm location 172.16.20.0 255.255.255.0 inside                                            
pdm location 172.16.30.0 255.255.255.0 inside                                            
pdm location 172.16.40.0 255.255.255.0 inside                                            
pdm location 172.16.50.0 255.255.255.0 inside                                            
pdm location 172.16.110.2 255.255.255.255 inside                                                
pdm location 172.16.120.2 255.255.255.255 inside                                                
pdm location 62.68.65.43 255.255.255.255 outside                                                
pdm location 62.68.65.44 255.255.255.255 outside                                                
pdm location 172.16.2.96 255.255.255.240 outside                                                
pdm history enable                  
arp timeout 14400                
global (outside) 1 62.68.65.4-62.68.65.42                                        
global (outside) 1 62.68.65.60                              
nat (inside) 0 access-list inside_outbound_nat0_acl                                                  
nat (inside) 1 172.16.2.0 255.255.255.0 0 0                                          
nat (inside) 1 172.16.3.0 255.255.255.0 0 0                                          
nat (inside) 1 172.16.4.0 255.255.255.0 0 0                                          
nat (inside) 1 172.16.5.0 255.255.255.0 0 0                        
nat (inside) 1 172.16.6.0 255.255.255.0 0 0                                          
nat (inside) 1 172.16.7.0 255.255.255.0 0 0                                          
nat (inside) 1 172.16.8.0 255.255.255.0 0 0                                          
nat (inside) 1 172.16.9.0 255.255.255.0 0 0                                          
nat (inside) 1 172.16.10.0 255.255.255.0 0 0                                            
nat (inside) 1 172.16.11.0 255.255.255.0 0 0                                            
nat (inside) 1 172.16.12.0 255.255.255.0 0 0                                            
nat (inside) 1 172.16.13.0 255.255.255.0 0 0                                            
nat (inside) 1 172.16.14.0 255.255.255.0 0 0                                            
nat (inside) 1 172.16.20.0 255.255.255.0 0 0                                            
nat (inside) 1 172.16.30.0 255.255.255.0 0 0                                            
nat (inside) 1 172.16.40.0                          
nat (inside) 1 172.16.100.0 255.255.255.0 0 0                                            
static (inside,outside) 62.68.65.43 172.16.110.2 netmask 255.255.255.255 0 0                                                                                                          
                                                                       
static (inside,outside) 62.68.65.44 172.16.120.2 netmask 255.255.255.255 0 0                                                                            
                                                                     
static (inside,outside) 62.68.65.50 172.16.14.130 netmask 255.255.255.255 0 0                                                                            
static (inside,outside) 62.68.65.51 172.16.2.7 netmask 255.255.255.255 0 0                                                                          
static (inside,outside) 62.68.65.52 172.16.2.6 netmask 255.255.255.255 0 0                                                                          
access-group OutsideIn in interface outside                                          
                 
                                             
rip inside passive version 1                            
route outside 0.0.0.0 0.0.0.0 62.68.65.1 1                                          
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout sip-disconnect 0:02:00 sip-invite 0:03:00                                                
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ deadtime 10                              
aaa-server RADIUS protocol radius                                
aaa-server RADIUS max-failed-attempts 3                                      
aaa-server RADIUS deadtime 10                            
aaa-server LOCAL protocol local                              
http server enable                  
http 172.16.2.70 255.255.255.255                              
http 172.16.2.200 255.255.255.255 inside
http 172.16.130.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet 172.16.100.0 255.255.255.0 inside
telnet 172.16.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username nasem password *********
dhcpd address 172.16.100.50-172.16.100.225 inside
dhcpd dns 172.16.2.5
dhcpd lease 6000
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:c5cd988ba9cd16ce0bf9a83b9a95afb9

thanks
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18817270
after removing all of the settings.

do a clear xlate,
!
clear xlate
!
 then try to browse the internet from the 172.16.110.2 server. If you get internet, goto www.ipchicken.com and check that your outside ip address is 62.68.65.43 .
0
 

Author Comment

by:nasemabdullaa
ID: 18817310
hi
thank for your reply
i do that but the internet not work
can you help me

thanks
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18818215
What are the ip settings of the server.  Are other workstations on the network able to access the internet?
0
 
LVL 3

Expert Comment

by:daocs
ID: 18819079
Please provide some clarification on how your network is setup.  According to your nat statements you have 17 networks setup.  Like Sorenson said,
What is your server ip settings?
What is your other computer ip settings?
Can these other computers get to the internet?
Can you ping the gateway from the server?

0
 

Author Comment

by:nasemabdullaa
ID: 18822348
hi
this is my network scheme
https://filedb.experts-exchange.com/incoming/ee-stuff/3029-network-scheme.JPG

                                                                distrbution switch(1)
         i want to add ISA server here        distrbution switch(2)
router-->pix-->ISA--> core switch-->   distrbution switch(3)-->access switch---> PC
                       -----                                  distrbution switch(4)
-------------------------------------------------------------------------------------------------------------------

                                                           router(IP address 62.68.65.1)
                                                                 :
                                               IP address   62.68.65.3(PIX outside)
                                             IP address  172.16.100.2 (PIX inside )
                                                                 :
                       IP address (outside interface connect to PIX) 172.16.100.4(ISA server)
                                                                  :
                   IP address (inside interface connect to core switch) 172.16.110.2(ISA server)
                                                                  :
                                    Core switch ( layer3 switch)IP address  172.16.110.1



and i made this change of configuration is PIX to foword port to IP address 172.16.100.4

static (inside,outside) 62.68.65.43 172.16.100.4 netmask 255.255.255.255 0 0
access-list OutsideIn permit tcp any host 62.68.65.43 eq www                                                            
 access-group OutsideIn in interface outside

i want to use ISA as firewall only
this is what i do(iam  install ISA ) with two NIC with this information for each card

>>>>>What is your server ip settings

first card connect to pix information
ip address 172.16.100.4
mask 255.255.255.0
gateaway 172.16.100.2
DNS 62.68.95.11
DNS2 62.68.64.11


second NIC connect to core switch information
IP 172.16.110.2
mask 255.255.255.0
and iam add all my network to ISA
172.16.2.0
172.16.3.0--------------------------172.16.14.0

in core switch i am add route to inside NIC of ISA
ip route 0.0.0.0 0.0.0.0 172.16.110.2

before iam add server the network is working good on all VLAN and internet work
when iam add server i can not get internet on any computer or in server

>>>>>>>>>>>>What is your other computer ip settings
the setting in network in the file in the link below

https://filedb.experts-exchange.com/incoming/ee-stuff/3032-network-configuration.txt

when i add server (from server) i can ping to core switch (ip 172.16.100.1) and i can ping to internal PIX (ip address 172.16.100.2)
but i can not ping to any distrbution switch (ip 172.16.30.1) or access switch (ip 172.16.30.9)
and i can not ping to router (ip address 62.68.65.1)
but when i connect computer directly to router i can enter to internet)

can you help me

thanks


0
 
LVL 10

Assisted Solution

by:Sorenson
Sorenson earned 400 total points
ID: 18822702
The static should be to the "outside" nic of the IAS server
!
no static (inside,outside) 62.68.65.43 172.16.110.2 netmask 255.255.255.255 0 0
static (inside,outside) 62.68.65.43 172.16.100.4 netmask 255.255.255.255 0 0
!
0
 

Author Comment

by:nasemabdullaa
ID: 18823771
hi
thanks for your reply
>>>>>The static should be to the "outside" nic of the IAS server
thats what i say in my last post
you can see my last post

but the internet still not work

thanks
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18824087
please send output from:
!
show run | include static
!
show run | include access-list
!
show run | include access-group
!

also from the IAS server goto a dos window and post the results of:
ipconfig /all
and
route print
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:nasemabdullaa
ID: 18824133
hi thanks for your reply
i send (in the link) show run for router and pix and core switch and distrbution switch and access switch
show run | include static
show run | include access-list
show run | include access-group
https://filedb.experts-exchange.com/incoming/ee-stuff/3032-network-configuration.txt

for ISA
ip address 172.16.100.4
mask 255.255.255.0
gateaway 172.16.100.2
DNS 62.68.95.11
DNS2 62.68.64.11

ip address 172.16.110.2
mask 255.255.255.0

thanks




0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18824200
those are the original files, please send output of the current

please send output from:
!
show run | include static
!
show run | include access-list
!
show run | include access-group
!

also from the IAS server goto a dos window and post the results of:
ipconfig /all
and
route print
0
 

Author Comment

by:nasemabdullaa
ID: 18828239
hi
thanks for your reply
this what i do in my configuration in PIX
                                                  router   (IP address 62.68.65.1)
                                                                 :
                                               IP address   62.68.65.3(PIX outside)
                                             IP address  10.100.100.1 (PIX inside )
                                                                 :
                       IP address (outside interface connect to PIX) 10.100.100.2 (ISA server)
                                                                  :
                   IP address (inside interface connect to core switch) 172.16.100.2(ISA server)
                                                                  :
                                    Core switch ( layer3 switch)IP address  172.16.100.1
now the internet working on ISA server but its not working on any of my PC (any VLAN from 1 to 14)
but when i disconnect the cable from core switch and connected direct to any computer the internet work on this computer only (internet work only on one computer) (i try this configuration on one computer connected direct to inside NIC of ISA server)
computer configuration is
ip 172.16.100.3
mask 255.255.255.0
gateaway 172.16.100.2
dns1 62.68.95.11
dns2 62.68.64.11

ISA NIC configuration is
inside NIC configuration is
ip 172.16.100.2
mask 255.255.255.0
gateway   none
dns1 62.68.95.11
dns2 62.68.64.11

outside NIC configuration is
ip 10.100.100.2
mask 255.255.255.0
gateaway 10.100.100.2
dns1 62.68.95.11
dns2 62.68.64.11

when i made this configuration the internet work on ISA server and on computer  connect direct to inside NIC of ISA server but when i disconnect this computer and connect the inside NIC of ISA server to core switch the internet not work on any PC but work only on server
(i mean only the computer direct connect to ISA server its work but any computer connect to core switch not work)

show run (the information here)
https://filedb.experts-exchange.com/incoming/ee-stuff/3048-sh-run.txt

from ISA server i can ping to core switch IP 172.16.100.1 but i can not ping to distribution switch which is connect to core switch (core switch ip 172.16.30.1) and i can not ping to access switch which is connect to distribution switch (access switch  ip 172.16.30.4)

from any computer ip can ping to any other switch and all distribution switch and core switch but i can not ping to inside NIC of ISA server 172.16.100.2

from any computer i can telnet to any other switch but i can not enter to pix or router or ISA server
i do not have any (show run | include static,show run | include access-list,show run | include access-group) in any of core or distribution switch
iam add all network in ISA server (172.16.2.0-172.16.2.255----------------172.16.14.0-172.16.14.255,172.16.100.0-172.16.100.255,10.100.100.0-10.100.100.255,172.16.20.0-172.16.20.255,172.16.30.0-172.16.30.255,172.16.40.0-172.16.40.255)

can you help me




0
 

Author Comment

by:nasemabdullaa
ID: 18831815
hi
can i get help
thanks
0
 
LVL 10

Accepted Solution

by:
Sorenson earned 400 total points
ID: 18835786
nasemabdullaa

I am not sure where this configuration stands.  From your last message and testing, you need to add the routes to your ISA server (why I asked for route /print from that server to each of your internal networks).

route -p add 172.16.30.0 netmask 255.255.255.0 172.16.100.1  (etc)

so that the ISA server knows where each inside network is.
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18835788
If you can access the internet from the ISA server, then the PIX is configured correctly.  The problem them moves to the ISA server configuration.
0
 

Author Comment

by:nasemabdullaa
ID: 18835901
hi
Sorenson
iam happy to hear from you
>>>route -p add 172.16.30.0 netmask 255.255.255.0 172.16.100.1
can you explain more about this
how i can use this command
and why i can not ping from any distribution  and access switch to inside NIC of isa server

thanks
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18835958
your isa server has a default route set to point to the internet
It has an inside nic without a default gateway.  Therefore the only inside network that it knows about is the one directly connected to it.
goto a cmd windows on the IAS server, type " route print" it will list the routes that the ISA server knows.  You need to manually add the other internal routes so that it knows how to send traffic back to your other distribution switchs and vlans.

you will need to add the routes using the route command.
-p sets the route to registry (so that it stays when you reboot)
the rest is basic routing, network - subnet - gateway.
see:  http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/prork/prcc_tcp_mgyl.mspx?mfr=true
0
 

Author Comment

by:nasemabdullaa
ID: 18836000
hi
thanks for your reply and for your time
>>>you will need to add the routes using the route command
must i add all network to the routing table

i have one more question
can i use external DNS in inside NIC of ISA server or not i mean must i have internal DNS server or not
and the below configuration of inside NIC of ISA server is true or not

ISA NIC configuration is
inside NIC configuration is
ip 172.16.100.2
mask 255.255.255.0
gateway   none
dns1 62.68.95.11
dns2 62.68.64.11

thanks
0
 

Author Comment

by:nasemabdullaa
ID: 18836027
hi
>>>>>>route -p add 172.16.30.0 netmask 255.255.255.0 172.16.100.1
172.16.30.0 my network must to be add
172.16.100.1 must i routed to ip address of NIC of isa server or to ip address of core switch
ip address of inside is 172.16.100.2 you mean 172.16.100.2 not 172.16.100.1 (true or not)

thanks
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18836443
if you are adding a route on the isa server, you do not want to point it at itself.

172.16.100.2 is ip addr of isa
172.16.30.0 is one subnet you are trying to get to
172.16.100.1 is main switch that already knows where 172.16.30.x is

on isa server:
route -p add 172.16.30.0 netmask 255.255.255.0 172.16.100.1
0
 

Author Comment

by:nasemabdullaa
ID: 18836529
hi
thanks for your reply
i have 4 distribution  switch with this IP
172.16.10.1 must add route 172.16.10.0 to isa server
172.16.20.1 must add route 172.16.20.0 to isa server
172.16.30.1must add route 172.16.30.0 to isa server
172.16.40.1must add route 172.16.40.0 to isa server

and access switch (i have 36 access switch )
9 switch with ip address (172.16.10.2----172.16.10.10) connect to distribution  switch with IP 172.16.10
9 switch with ip address (172.16.20.2---172.16.20.10) connect to distribution  switch with IP 172.16.20
9 switch with ip address (172.16.30.2---172.16.30.10)connect to distribution  switch with IP 172.16.30
9 switch with ip address (172.16.40.2---172.16.40.10)connect to distribution  switch with IP 172.16.40

must i add route for all these switch to isa server or not( i maen only distribution  switch)

thanks

.

0
 

Author Comment

by:nasemabdullaa
ID: 18843168
hi
thanks keith_alabaster and Sorenson
iam realy sorry about this its my mistake (if anythingi can do it tell me please) sorry again
after iam add route the internet work on all computer
iam use the command send by Sorenson
route -p add 172.16.30.0 netmask 255.255.255.0 172.16.100.1

thanks again
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now