Solved

Cisco PIX 525 firewall configuration query

Posted on 2009-05-14
4
505 Views
Last Modified: 2012-05-07
I am attempting to setup a simple configuration on a Cisco PIX 525 firewall.

For whatever reason I cannot seem to get traffic to pass from the inside network to the internet.
starting from a blank firewall we have configured the inside interface and enabled ASDM on the internal network.  The rest of the configuration was carried out through ASDM configure the outide interface and allow all traffic from the internal network outbound.

However when we attempt to connect to any resource on the internet we fail to connect.
Logging shows the connections being created to the correct destination.

If we ping the default gateway from the internal network we get no response.  If we ping the default gateway from a console session on the firewall we get a response.  If we ping an internet address from the console seeion we also get a response.

Have I missed something obvious or should this configuration work?

Here is the configuration
: Saved
:
PIX Version 7.2(4)
!
hostname gw-test
domain-name exact3ex.co.uk
enable password .xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 194.143.179.20 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns server-group DefaultDNS
 domain-name exact3ex.co.uk
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
monitor-interface outside
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 194.143.179.21 netmask 255.255.255.0
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 194.143.179.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.70 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f9e9cad0c537f33dd04f4e803b00594f
: end
asdm image flash:/asdm
no asdm history enable
0
Comment
Question by:vodyanoi
  • 2
4 Comments
 
LVL 15

Expert Comment

by:bignewf
Comment Utility
question- can your workstations ping the inside interface of the pix?
how is  your default gateway of your internal network configured? Do your network switches point to the inside interface of the pix, i.e

ip route 0.0.0.0 0.0.0.0 192.168.0.1 (or similar command depending on type of switch)

check your default gateways, as you state the inside of the asa can reach the internet, but the hosts cannot

by default, all inbound traffic is allowed out unless prevented by outbound access list.
Also, is the internal lan just a 192.168.0.0/24 network, or are there other networks?
If so, then you need static route statements in the pix
0
 
LVL 5

Expert Comment

by:ksims1129
Comment Utility
you also need a nat access-list so that firewall knows what to translate. add the following to your config.

access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list NONAT

the reason you can;t ping the internal interface is the firewall is routing it out to the internet. once you apply the two able lines of config it will work like a dream.
0
 

Author Comment

by:vodyanoi
Comment Utility
Bignewf:

Reading back through my post I realise I didn't make the situation completely clear.
So I will try again.
Internal network is just 192.168.0.0/24 - default gateway is 192.168.0.1 ( inside interface of the firewall )
My workstaion can ping the inside interface of the firewall
It cannot ping the outside interface of the firewall or anything beyond it. When I was talking about the default gateway I meant the public gateway as seen from the firewall ( 194.143.179.1 )
apologies for any confusion this may have caused

Spencer
0
 
LVL 5

Accepted Solution

by:
ksims1129 earned 125 total points
Comment Utility
this will fix the ability for traffic to traverse the firewall.

access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list NONAT
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Port forwarding in Cisco RV215w 2 30
SSH logs Cisco switch 4 28
Extending  a subnet 9 34
Cisco VPN Client and Windows 10 9 22
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now