• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 657
  • Last Modified:

Cannot Ping outside Pix 506e from inside

I'm in the process of chaning ISP's(Sprint to ATT) and I need to change my Pix 506e configuration.  My Pix skills are very basic.  I copied the existing Sprint config and pasted it into Notepad.  I replaced all the existing Sprint IP addresses with the new ATT addresses and then copied/pasted into terminal and write mem.  

Currently, I cannot ping the outside ethernet from the inside ehternet or get out to the internet.  Thanks for your help in advance.

Here's a copy of the config.  
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside-in permit icmp any any
access-list outside-in permit tcp any host 12.xxx.xxx.67 eq smtp
access-list outside-in permit tcp any host 12.xxx.xxx.67 eq https
access-list outside-in permit tcp any host 12.xxx.xxx.67 eq www
access-list outside-in permit tcp any host 12.xxx.xxx.68 eq pptp
access-list outside-in permit gre any host 12.xxx.xxx.68
access-list outside-in permit udp any host 12.xxx.xxx.66 eq snmptrap
access-list dantel1 permit ip 10.0.0.0 255.0.0.0 10.1.1.0 255.255.255.0
access-list dantel1 permit ip any 10.1.1.0 255.255.255.240
access-list splitdantel1 permit ip 10.0.0.0 255.0.0.0 10.1.1.0 255.255.255.0
access-list outside_cryptomap_dyn_21 permit ip any 10.1.1.0 255.255.255.240
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 12.xxx.xxx.66 255.255.255.240
ip address inside 10.1.1.8 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool dantelpool 10.1.1.1-10.1.1.10
pdm location 192.168.0.89 255.255.255.255 inside
pdm location 192.168.0.21 255.255.255.255 inside
pdm location 10.1.1.0 255.255.255.0 outside
pdm location 192.168.0.19 255.255.255.255 inside
pdm location 66.215.72.163 255.255.255.255 outside
pdm location 10.1.21.15 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list dantel1
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) udp 12.xxx.xxx.66 snmptrap 10.1.21.15 snmptrap netmask 255.255.255.255 0 0
static (inside,outside) 12.xxx.xxx.67 192.168.0.21 netmask 255.255.255.255 0 0
static (inside,outside) 12.xxx.xxx.68 192.168.0.19 netmask 255.255.255.255 0 0
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 12.xxx.xxx.65 1
http server enable
http 192.168.0.89 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto dynamic-map cisco 21 match address outside_cryptomap_dyn_21
crypto dynamic-map cisco 21 set transform-set myset
crypto map newmap 10 ipsec-isakmp dynamic cisco
crypto map newmap client authentication partnerauth
crypto map newmap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.0.89 255.255.255.255 inside
0
tcarrillo
Asked:
tcarrillo
  • 2
1 Solution
 
predragpetrovicCommented:
hi,

well there is nothing here to do except change the IP addresses. I would like to know if you have set the default route for the new network range.

a) Change IP address of the outside interface
b) Take a note of existing NATs and PATs
c) Remove existing NATs and PATs
d) Enter new NATs and PATs with the corresponding new IP address(es)
e) Remove the old default route
f) Add a new default route
g) Rewrite the access-lists with the new corresponding IP address(es).

This should be a straightforward task.

predrag
0
 
tcarrilloAuthor Commented:
I'm sure it is very straight forward for someone who knows what he is doing.  I do not fall into this group.

I cannot tell from your response if what I did is acceptable.  NOTE: The config shown is the running config for the new ISP.  Everything has been changed but it is not working.  The config reads line for line like the old config but has the new IP addresses in it.

I thought a starting place would be to solve why I can't ping the outside IP address.  What do I do from here?
0
 
tcarrilloAuthor Commented:
Many hours later I now know how to configure a Pix 506e.  The config above worked once it was correctly saved to the Pix.
0

Featured Post

Exciting career futures for women in IT

Education has the power to transform lives and open the door to new career opportunities. By earning an IT degree from WGU, you can become a highly skilled IT professional. Get the credentials and certifications you need to become a leader in this rewarding field.  

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now