Solved

Cisco PIX 525 firewall configuration query

Posted on 2009-05-14
4
519 Views
Last Modified: 2012-05-07
I am attempting to setup a simple configuration on a Cisco PIX 525 firewall.

For whatever reason I cannot seem to get traffic to pass from the inside network to the internet.
starting from a blank firewall we have configured the inside interface and enabled ASDM on the internal network.  The rest of the configuration was carried out through ASDM configure the outide interface and allow all traffic from the internal network outbound.

However when we attempt to connect to any resource on the internet we fail to connect.
Logging shows the connections being created to the correct destination.

If we ping the default gateway from the internal network we get no response.  If we ping the default gateway from a console session on the firewall we get a response.  If we ping an internet address from the console seeion we also get a response.

Have I missed something obvious or should this configuration work?

Here is the configuration
: Saved
:
PIX Version 7.2(4)
!
hostname gw-test
domain-name exact3ex.co.uk
enable password .xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 194.143.179.20 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns server-group DefaultDNS
 domain-name exact3ex.co.uk
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
monitor-interface outside
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 194.143.179.21 netmask 255.255.255.0
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 194.143.179.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.70 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f9e9cad0c537f33dd04f4e803b00594f
: end
asdm image flash:/asdm
no asdm history enable
0
Comment
Question by:vodyanoi
  • 2
4 Comments
 
LVL 15

Expert Comment

by:bignewf
ID: 24389559
question- can your workstations ping the inside interface of the pix?
how is  your default gateway of your internal network configured? Do your network switches point to the inside interface of the pix, i.e

ip route 0.0.0.0 0.0.0.0 192.168.0.1 (or similar command depending on type of switch)

check your default gateways, as you state the inside of the asa can reach the internet, but the hosts cannot

by default, all inbound traffic is allowed out unless prevented by outbound access list.
Also, is the internal lan just a 192.168.0.0/24 network, or are there other networks?
If so, then you need static route statements in the pix
0
 
LVL 5

Expert Comment

by:ksims1129
ID: 24391861
you also need a nat access-list so that firewall knows what to translate. add the following to your config.

access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list NONAT

the reason you can;t ping the internal interface is the firewall is routing it out to the internet. once you apply the two able lines of config it will work like a dream.
0
 

Author Comment

by:vodyanoi
ID: 24393309
Bignewf:

Reading back through my post I realise I didn't make the situation completely clear.
So I will try again.
Internal network is just 192.168.0.0/24 - default gateway is 192.168.0.1 ( inside interface of the firewall )
My workstaion can ping the inside interface of the firewall
It cannot ping the outside interface of the firewall or anything beyond it. When I was talking about the default gateway I meant the public gateway as seen from the firewall ( 194.143.179.1 )
apologies for any confusion this may have caused

Spencer
0
 
LVL 5

Accepted Solution

by:
ksims1129 earned 125 total points
ID: 24394289
this will fix the ability for traffic to traverse the firewall.

access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list NONAT
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
EIGRP Bandwidth 2 42
Setup NAT/PAT question 3 42
2960 and a VLAN id of 1237 2 50
Cisco 7945G IP Phones: How large is the firmware file for SCCP? 2 37
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now