?
Solved

Cisco PIX 525 firewall configuration query

Posted on 2009-05-14
4
Medium Priority
?
550 Views
Last Modified: 2012-05-07
I am attempting to setup a simple configuration on a Cisco PIX 525 firewall.

For whatever reason I cannot seem to get traffic to pass from the inside network to the internet.
starting from a blank firewall we have configured the inside interface and enabled ASDM on the internal network.  The rest of the configuration was carried out through ASDM configure the outide interface and allow all traffic from the internal network outbound.

However when we attempt to connect to any resource on the internet we fail to connect.
Logging shows the connections being created to the correct destination.

If we ping the default gateway from the internal network we get no response.  If we ping the default gateway from a console session on the firewall we get a response.  If we ping an internet address from the console seeion we also get a response.

Have I missed something obvious or should this configuration work?

Here is the configuration
: Saved
:
PIX Version 7.2(4)
!
hostname gw-test
domain-name exact3ex.co.uk
enable password .xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 194.143.179.20 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns server-group DefaultDNS
 domain-name exact3ex.co.uk
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
monitor-interface outside
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 194.143.179.21 netmask 255.255.255.0
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 194.143.179.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.70 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f9e9cad0c537f33dd04f4e803b00594f
: end
asdm image flash:/asdm
no asdm history enable
0
Comment
Question by:vodyanoi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 15

Expert Comment

by:bignewf
ID: 24389559
question- can your workstations ping the inside interface of the pix?
how is  your default gateway of your internal network configured? Do your network switches point to the inside interface of the pix, i.e

ip route 0.0.0.0 0.0.0.0 192.168.0.1 (or similar command depending on type of switch)

check your default gateways, as you state the inside of the asa can reach the internet, but the hosts cannot

by default, all inbound traffic is allowed out unless prevented by outbound access list.
Also, is the internal lan just a 192.168.0.0/24 network, or are there other networks?
If so, then you need static route statements in the pix
0
 
LVL 5

Expert Comment

by:ksims1129
ID: 24391861
you also need a nat access-list so that firewall knows what to translate. add the following to your config.

access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list NONAT

the reason you can;t ping the internal interface is the firewall is routing it out to the internet. once you apply the two able lines of config it will work like a dream.
0
 

Author Comment

by:vodyanoi
ID: 24393309
Bignewf:

Reading back through my post I realise I didn't make the situation completely clear.
So I will try again.
Internal network is just 192.168.0.0/24 - default gateway is 192.168.0.1 ( inside interface of the firewall )
My workstaion can ping the inside interface of the firewall
It cannot ping the outside interface of the firewall or anything beyond it. When I was talking about the default gateway I meant the public gateway as seen from the firewall ( 194.143.179.1 )
apologies for any confusion this may have caused

Spencer
0
 
LVL 5

Accepted Solution

by:
ksims1129 earned 500 total points
ID: 24394289
this will fix the ability for traffic to traverse the firewall.

access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list NONAT
0

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question