Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco PIX 506 Help!! workstations can not access internet?

Posted on 2007-10-18
5
Medium Priority
?
346 Views
Last Modified: 2010-04-09
Recently purchased a used Cisco PIX 506 , ver 6.3(5), I have reset it to factory defaults and followed the recommanded settings from Cisco, now I have some issues.

Our network is setup like this

T1 Router <-- PIX --> Network Switch -> Server, workstations

PIX has a outside IP of 216.xx.xx.2
PIX has a inside IP of 192.168.1.1

the server is setup to DHCP and has a internal IP of 192.168.1.10 ,  workstations obtain the IP from the server.

because the server is also a web server, i have set up static route to foward www traffic to the 192.168.1.10 server.

everything works fine on the server, and I can access the server from the public too.

however, none of the workstations are able to access the internet.

I can ping to the server and the PIX from workstation, but can not ping to any outside IP.

what command should I use to allow outbound traffic from workstations?  



0
Comment
Question by:mike2016
  • 2
  • 2
5 Comments
 
LVL 19

Accepted Solution

by:
nodisco earned 1400 total points
ID: 20103955
hi

As you already have access working to the translated server - you have got a working access-list on the outside interface.  So just add the following lines to the acl - replacing "fromoutside" with the name of your acl:
access-list fromoutside permit icmp any any echo-reply
access-list fromoutside permit icmp any any unreachable
access-list fromoutside permit icmp any any time-exceeded

this will allow icmp (ping) packets back in so you can ping websites etc

hth
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 600 total points
ID: 20103978
It might be in your static statement.

NOT OK where static nat maps to same ip as gobal:
 global (outside) 1 216.xx.xx.2
 nat (inside) 1 0 0 0
 static (inside,outside) 216.xx.xx.2 192.168.1.10 netmask 255.255.255.255

OK using interface keyword and port specific nat where MX record = same ip as assigned to interface:
 global (outside) 1 interface
 nat (inside) 1 0 0 0
 static (inside,outside) tcp interface 25 192.168.1.10 25 netmask 255.255.255.255
 
0
 

Author Comment

by:mike2016
ID: 20104918
thanks for the replies!  i will try that after work hours ...

one thing i was thinking though,  the way I connected the cables is like this

all devices ( T1 router, server, workstations) are connected to the same switch ,  i had to do this because I don't have a 25ft long cross over cable to connect the T1 router to the firewall...
0
 
LVL 19

Assisted Solution

by:nodisco
nodisco earned 1400 total points
ID: 20105019
whoa!
If they are not seperated by vlans on the switch then you are leaving the internal LAN open to attack on the internet as the firewall is not protecting them.
Ensure you segregate the connections so that Public and Private network are seperate and the firewall is the junction point.
e.g.

T1 router > firewall > Inside LAN > servers/workstations.

hth
0
 

Author Comment

by:mike2016
ID: 20105094
Omg its good I asked that.... okay i'll seperate them right away.  

will try the access-list commands after work to confirm the progress!  thanks again.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question