We help IT Professionals succeed at work.

Cisco pix NAT/routing issue

MikeG299
MikeG299 used Ask the Experts™
on
All,
Running a small network consisting of SBS w/exchange and several clients all behind a PIX 515 running 6.3(5). We changed ISP which requires changing outside interface ip settings on Cisco pix. We cannot ping to outside world from router or client machines. Please take a look at config below and let me know if anything looks wrong. Thanks.




:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password encrypted
passwd encrypted
hostname Corp-515
domain-name teamnrg.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any time-exceeded
access-list 100 permit tcp any host 173.11.70.49 eq smtp
access-list 100 permit tcp any host 173.11.70.49 eq https
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 173.11.70.49 255.255.0.0
ip address inside 10.8.10.254 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool clientpool 192.168.100.1-192.168.100.25
pdm location 0.0.0.0 0.0.0.0 inside
pdm history enable
arp timeout 14400
nat (inside) 1 10.8.10.0 255.255.255.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 173.11.70.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.8.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set pdsset esp-3des esp-sha-hmac
crypto dynamic-map cisco 90 set transform-set pdsset
crypto map pdsmap 10 ipsec-isakmp
crypto map pdsmap 10 set peer 64.171.87.65
crypto map pdsmap 10 set transform-set pdsset
! Incomplete
crypto map pdsmap 20 ipsec-isakmp
crypto map pdsmap 20 set peer 216.70.157.178
crypto map pdsmap 20 set transform-set pdsset
! Incomplete
crypto map pdsmap 30 ipsec-isakmp
crypto map pdsmap 30 set peer 67.117.69.34
crypto map pdsmap 30 set transform-set pdsset
! Incomplete
crypto map pdsmap 40 ipsec-isakmp
crypto map pdsmap 40 set peer 216.70.128.84
crypto map pdsmap 40 set transform-set pdsset
! Incomplete
crypto map pdsmap 50 ipsec-isakmp
crypto map pdsmap 50 set peer 66.18.133.68
crypto map pdsmap 50 set transform-set pdsset
! Incomplete
crypto map pdsmap 60 ipsec-isakmp
crypto map pdsmap 60 set peer 67.124.182.193
crypto map pdsmap 60 set transform-set pdsset
! Incomplete
crypto map pdsmap 70 ipsec-isakmp
crypto map pdsmap 70 set peer 208.57.105.40
crypto map pdsmap 70 set transform-set pdsset
! Incomplete
crypto map pdsmap 90 ipsec-isakmp dynamic cisco
crypto map pdsmap interface outside

telnet timeout 10
ssh 66.120.152.224 255.255.255.248 outside
ssh 67.112.179.96 255.255.255.224 outside
ssh 63.205.56.0 255.255.255.0 outside
ssh 208.57.230.144 255.255.255.240 outside
ssh 66.18.151.96 255.255.255.240 outside
ssh 173.51.1.208 255.255.255.240 outside
ssh timeout 10
management-access inside
console timeout 0
dhcpd address 10.8.10.160-10.8.10.198 inside
dhcpd dns 10.8.10.12 10.8.10.11
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
for default route you are giving your own interface ip address (173.11.70.49 )... can you give the next hop ip address.
route outside 0.0.0.0 0.0.0.0 173.11.70.49 1

Author

Commented:
Changed, here is latest.

Done here is the current config
 
 
 
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto shutdown
interface ethernet1 auto shutdown
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password encrypted
passwd encrypted
hostname Corp-515
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 173.11.70.49 255.255.255.0
ip address inside 10.8.10.254 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 1 10.8.10.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 173.11.70.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
if you do tracert to yahoo.com what happens?

Author

Commented:
Tracing route to 8.8.8.8 over a maximum of 30 hops
 
  1     *        *        *     Request timed out.
  2  tom-201 [10.8.10.27]  reports: Destination host unreachable.

Thx for your help btw.
whose ip is 10.8.10.27 ? is this device in your network?

Author

Commented:
Yes, in our network

Author

Commented:
interface ethernet0 "outside" is administratively down,
 
can not put in the no shutdown command.  This is a problem…

Author

Commented:
interface ethernet0 "outside" is administratively down, line protocol is up
  Hardware is i82559 ethernet, address is 000e.d738.d67e
  IP address 173.11.70.49, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
        1 packets input, 60 bytes, 0 no buffer
        Received 1 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 packets output, 0 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/0)
        output queue (curr/max blocks): hardware (0/0) software (0/0)
interface ethernet1 "inside" is administratively down, line protocol is up
  Hardware is i82559 ethernet, address is 000e.d738.d67f
  IP address 10.8.10.254, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
        1502 packets input, 135956 bytes, 0 no buffer
        Received 1502 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 packets output, 0 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred

Author

Commented:
Corp-515(config)# int eth1
Corp-515(config)# no shut
Type help or '?' for a list of available commands.
Corp-515(config)# no shutdown
Type help or '?' for a list of available commands.
Corp-515(config)#
can you give no shut and try if the port comes up...
Jimmy Larsson, CISSP, CEHNetwork and Security consultant

Commented:
You are running an ancient software. The syntax to "no-shut" is:

interface ethernet0 auto
interface ethernet1 auto

Best regards
Kvistofta
seems you are not getting to the port itself when you give command int eth1.. as the prompt should change.. from Corp-515(config) with interface...
Corp-515(config)# int eth1
Corp-515(config)# no shut
Type help or '?' for a list of available commands.


can you type int eth1 and press tab.. what options you are getting
also try
 int eth1 inside
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Looking at the latest config I see:

ip address outside 173.11.70.49 255.255.255.0
and
route outside 0.0.0.0 0.0.0.0 173.11.70.49
The route outside is pointing to the outside interface, not good. It should point to the IP of the router/modem/device that is behind the firewall (connected to the outside interface).

Also I'm missing:
global (outside) 1 interface
to match the:
nat (inside) 1 10.8.10.0 255.255.255.0 0 0
Yes, seems that what i also wanted to get it changed in my first message ....but still it has the same gateway..

Author

Commented:
Thanks everyone, making changes now. Will post latest config in a moment.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
@Anuroopsundd: Ah, overlooked your comment (only saw the first author comment).

But don't forget the missing global ;)

Author

Commented:
Ok we can ping outside world from the router. I don't understand erniebeeks comments about missing global outside.

Here is latest config:

: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname CORP
domain-name pdsi.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 173.11.70.49 255.255.255.0
ip address inside 10.8.10.254 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 1 10.8.10.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 173.11.70.50 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

Author

Commented:
Still unable to get out to world from client machines.
Might be inside NAT issue?
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Well, normally there should be the combination

nat (inside) 1 10.8.10.0 255.255.255.0 (what will be natted when going to the internet).
and
global (outside) 1 interface (to what address will it be natted, int this case the outside interface address).

So I find it rather strage that you can get through the firewall without the global.

Wait,CAN you get through because you say: Ok we can ping outside world from the router.
?
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Ah:
Still unable to get out to world from client machines.
Might be inside NAT issue?


So add the global.

Author

Commented:
Yes, can ping google from the PIX.

Author

Commented:
Can you pls send exact line to add for global? Unclear about this.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Like this:

global (outside) 1 interface

Author

Commented:
CORP(config)# global (outside) 1 interface
outside interface address added to PAT pool
 
no ping from my pc pix can still ping

Author

Commented:
CORP(config)# show global
global (outside) 1 interface
CORP(config)# show int 1
interface ethernet1 "inside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 000e.d738.d67f
  IP address 10.8.10.254, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
        2123 packets input, 218815 bytes, 0 no buffer
        Received 1117 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        63 packets output, 3808 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/2)
        output queue (curr/max blocks): hardware (0/1) software (0/1)
CORP(config)#
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Ok, let's try adding the following:
access-list outside permit icmp any any
access-group outside in interface outside


And see what happens then.

Author

Commented:
Nice nice nice! Can now pint 8.8.8.8 from workstation. Almost there. Adding remaining ACL for exchange. Will post config and or successful results shortly. Thanks so much guys!!!!!
Senior infrastructure engineer
Top Expert 2012
Commented:
Don't forget that you now named the accesslist 'outside' instead of 100, so the other lines should be:
access-list outside permit tcp any host 173.11.70.49 eq smtp
access-list outside permit tcp any host 173.11.70.49 eq https

Author

Commented:
Couple things, can only ping 8.8.8.8 from one machine 10.8.10.12, but no other machines can get out.
Here is latest config:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password encrypted
passwd  encrypted
hostname CORP
domain-name pdsi.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit icmp any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any time-exceeded
access-list 100 permit tcp any host 173.11.70.49 eq smtp
access-list 100 permit tcp any host 173.11.70.49 eq https
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 173.11.70.49 255.255.255.0
ip address inside 10.8.10.254 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.8.10.0 255.255.255.0 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 173.11.70.50 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:43cc86fbfa3df93099f58df85672b2c2
: end
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Do the other stations have the IP of the PIX as their default gateway (10.8.10.254)?

Author

Commented:
Yes they do.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
When you look at the (ASDM) logs, does anything show?

Go to go for now, it's way past my bedtime :-~
I'll check back tomorrow.

Author

Commented:
Still can’t get into port 25 for exchange .here is what I have done in the pix….any help would be great!
 
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname CORP
domain-name pdsi.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit icmp any any
access-list outside permit icmp any any echo-reply
access-list outside permit icmp any any unreachable
access-list outside permit icmp any any time-exceeded
access-list outside permit tcp any interface outside eq smtp
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 173.11.70.49 255.255.255.0
ip address inside 10.8.10.254 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.8.10.0 255.255.255.0 0 0
static (inside,outside) tcp interface smtp 10.8.10.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.8.10.1 www netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 173.11.70.50 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.8.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.8.10.160-10.8.10.198 inside
dhcpd dns 10.8.10.12 10.8.10.11
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
So the internet for the other stations is now working?

Did you look at the (ASDM) logs to see if anything shows there (port 25 blocks)?

Author

Commented:
So we got it all up, finally. Was having issues with SMTP and thought it was ACL issue. Turned out to be an issues with Comcast. Thanks so much for the awesome support!
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Glad we could help :)
Thx 4 the points.