Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > pix 501 setup trouble newbie

Reply
Thread Tools

pix 501 setup trouble newbie

 
 
Greg Gibson
Guest
Posts: n/a
 
      11-27-2003
I have three books, and just can't get this pix 501 to go!

I have 1 computer on the inside interface at 192.168.0.3 /24 and the pix
inside is 192.168.0.1 /24

The pix outside is 192.168.1.1 and it is connected to a dsl router at
192.168.1.2 which goes to the dsl modem.

I cannot ping from the pix to 192.168.1.2 (its default route or next hop
out!)

It is now the case that the computer at 192.168.0.3 is trying for a long
time to get out to www.msn.com, but fails.

I have turned on ethenet0 and ethernet1 with interface (removing shutdown)
Used nameif to set the security 100 and 0 respectively
Set a default route to 192.168.1.2
Turned off nat, established the following access list for that:

pixx# show nat
nat (inside) 0 access-list inside_public
pixx# show access-list
access-list inside_public; 1 elements
access-list inside_public permit ip 192.168.0.0 255.255.255.0 any
(hitcnt=93)
pixx#
pixx# show route
outside 0.0.0.0 0.0.0.0 192.168.1.2 1 OTHER static
inside 192.168.0.0 255.255.255.0 192.168.0.1 1 CONNECT static
outside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
pixx#

(I notice that the above ranges look a little small, are they the problem?)

Turned on icmp through the router:

icmp permit 192.168.0.0 255.255.255.0 echo-reply outside
icmp permit any unreachable outside

Of course, I really appreciate the time it takes to reply.

Thanks,

Greg

Here is the "write terminal" setup....

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixx
domain-name gsgi.homeunix.org
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inside_public permit ip 192.168.0.0 255.255.255.0 any
interface ethernet0 10baset
interface ethernet1 10full
icmp permit 192.168.0.0 255.255.255.0 echo-reply outside
icmp permit any unreachable outside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.1 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_public
route outside 0.0.0.0 0.0.0.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:4235cf79ebc381a02e043ee70e34332e
: end
[OK]


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      11-27-2003
In article <kHtxb.969$(E-Mail Removed)>,
Greg Gibson <(E-Mail Removed)> wrote:
:I have three books, and just can't get this pix 501 to go!

:I cannot ping from the pix to 192.168.1.2 (its default route or next hop
ut!)

:access-list inside_public permit ip 192.168.0.0 255.255.255.0 any
:ip address outside 192.168.1.1 255.255.255.0
:ip address inside 192.168.0.1 255.255.255.0
:nat (inside) 0 access-list inside_public
:route outside 0.0.0.0 0.0.0.0 192.168.1.2 1

nat 0 access-lists are to be interpreted with the first group being
the source address from inside, and the second group being
the destination. Your list uses 192.168.0.0/24 as the source,
but no traffic from inside is going to match that, so that ACL is
not going to be used in practice.

Meanwhile, you have no nat/global pair for any other traffic, so the
PIX isn't going to know how to translate 192.168.1.0/24 traffic
as it goes out, so the PIX is going to drop that traffic.

I would suggest that you stick with nat/global pairs, and static, until
such time as you are setting up VPNs.
--
Usenet is one of those "Good News/Bad News" comedy routines.
 
Reply With Quote
 
 
 
 
Brian Bergin
Guest
Posts: n/a
 
      11-28-2003
"Greg Gibson" <(E-Mail Removed)> wrote:

|I have three books, and just can't get this pix 501 to go!
|
|I have 1 computer on the inside interface at 192.168.0.3 /24 and the pix
|inside is 192.168.0.1 /24
|
|The pix outside is 192.168.1.1 and it is connected to a dsl router at
|192.168.1.2 which goes to the dsl modem.
|
|I cannot ping from the pix to 192.168.1.2 (its default route or next hop
|out!)

First I would suggest seeing if you can get your DSL modem in bridged mode and
not NAT mode. Almost every DSL modem I've seen can be put in bridge mode. Your
ISP won't be thrilled when you call, but you also won't run into the problems
NAT behind NAT can cause.

Thanks...
Brian Bergin

I can be reached via e-mail at
cisco_dot_news_at_comcept_dot_net.

Please post replies to the group so all may benefit.
 
Reply With Quote
 
Rik Bain
Guest
Posts: n/a
 
      11-28-2003
On Thu, 27 Nov 2003 15:06:24 -0600, Greg Gibson wrote:

> I have three books, and just can't get this pix 501 to go!
>
> I have 1 computer on the inside interface at 192.168.0.3 /24 and the pix
> inside is 192.168.0.1 /24
>
> The pix outside is 192.168.1.1 and it is connected to a dsl router at
> 192.168.1.2 which goes to the dsl modem.
>
> I cannot ping from the pix to 192.168.1.2 (its default route or next hop
> out!)
>
> It is now the case that the computer at 192.168.0.3 is trying for a long
> time to get out to www.msn.com, but fails.
>
> I have turned on ethenet0 and ethernet1 with interface (removing
> shutdown) Used nameif to set the security 100 and 0 respectively Set a
> default route to 192.168.1.2
> Turned off nat, established the following access list for that:
>
> pixx# show nat
> nat (inside) 0 access-list inside_public pixx# show access-list
> access-list inside_public; 1 elements access-list inside_public permit
> ip 192.168.0.0 255.255.255.0 any (hitcnt=93) pixx#
> pixx# show route
> outside 0.0.0.0 0.0.0.0 192.168.1.2 1 OTHER static inside
> 192.168.0.0 255.255.255.0 192.168.0.1 1 CONNECT static outside
> 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
> pixx#
>
> (I notice that the above ranges look a little small, are they the
> problem?)
>
> Turned on icmp through the router:
>
> icmp permit 192.168.0.0 255.255.255.0 echo-reply outside icmp permit any
> unreachable outside
>
> Of course, I really appreciate the time it takes to reply.
>
> Thanks,
>
> Greg


Does the dsl router have a route to 192.168.0.0/24?
 
Reply With Quote
 
Greg Gibson
Guest
Posts: n/a
 
      11-28-2003


> Does the dsl router have a route to 192.168.0.0/24?


It is just a dumb netgear dsl router. So no, the netgear doesn't have a
route to 192.168.0.0 /24?

But, even if that is a problem, it still wouldn't explain
why I can't ping 192.168.1.2 from 'outside' on the
pix which is 192.168.1.1, would it?

I really appreciate the time it takes to reply.

Thanks,

-Greg


 
Reply With Quote
 
Rik Bain
Guest
Posts: n/a
 
      11-28-2003
On Thu, 27 Nov 2003 20:37:48 -0600, Greg Gibson wrote:



>> Does the dsl router have a route to 192.168.0.0/24?

>
> It is just a dumb netgear dsl router. So no, the netgear doesn't have a
> route to 192.168.0.0 /24?
>
> But, even if that is a problem, it still wouldn't explain why I can't
> ping 192.168.1.2 from 'outside' on the pix which is 192.168.1.1, would
> it?
>
> I really appreciate the time it takes to reply.
>
> Thanks,
>
> -Greg


you will need a route to 192.168.0.0/24 on the netgear or it wont be able
to talk to the internal hosts.

as for not being able to ping directly connected devices, your icmp
policy does not allow it. you are permitting 192.168.0.0/24 and the
reply will come from the 192.168.1.0/24 network.

do a "clear icmp" to remove the icmp restrictions for now and try again.
if it fails, check arp on both devices.


Rik Bain
 
Reply With Quote
 
Greg Gibson
Guest
Posts: n/a
 
      11-28-2003
"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca>

nat 0 access-lists are to be interpreted with the first group being
> the source address from inside, and the second group being
> the destination. Your list uses 192.168.0.0/24 as the source,
> but no traffic from inside is going to match that, so that ACL is
> not going to be used in practice.
>
> Meanwhile, you have no nat/global pair for any other traffic, so the
> PIX isn't going to know how to translate 192.168.1.0/24 traffic
> as it goes out, so the PIX is going to drop that traffic.
>
> I would suggest that you stick with nat/global pairs, and static, until
> such time as you are setting up VPNs.


I guess I'm going to need quite a bit of hand holding here. How is it that
the
computer on the inside at 192.168.0.3 /24 doesn't match the acl of
192.168.0.0 /24?

Now that I think about it, without telling the netgear dsl router to default
route
to 192.168.1.1 it may be tricky to get the pix to sit behind the netgear.
Oh, maybe I'll make 192.168.1.1 (pix outside) the dmz on the netgear.

All I wanted to do was to turn off NAT and have it firewall behind the
netgear
for a few machines attached to the pix (on the inside) while I play with it.
i.e. learn about it...

I appreciate your input.

Thanks,
Greg

>> --

> Usenet is one of those "Good News/Bad News" comedy routines.



 
Reply With Quote
 
Greg Gibson
Guest
Posts: n/a
 
      11-28-2003

"Brian Bergin" <(E-Mail Removed)_domain> wrote in message

> First I would suggest seeing if you can get your DSL modem in bridged mode

and
> not NAT mode. Almost every DSL modem I've seen can be put in bridge mode.

Your
> ISP won't be thrilled when you call, but you also won't run into the

problems
> NAT behind NAT can cause.
>
> Thanks...
> Brian Bergin
>


Ummm, the dsl modem isn't doing NAT, the Netgear DSL router is doing the
NAT
and I just don't think I can turn that off. This is why my first attempt
was to turn
off NAT on the pix, to avoid double NAT, or more precisely perhaps, double
PAT.
Other than the fact that it seems weird, what bad things will double PAT do?

I appreciate your input.

Thanks,

Greg


 
Reply With Quote
 
Greg Gibson
Guest
Posts: n/a
 
      11-28-2003
> do a "clear icmp" to remove the icmp restrictions for now and try again.
> if it fails, check arp on both devices.
>
> Rik Bain


pixx(config)# clear icmp
pixx(config)# exit

ping 192.168.1.2
192.168.1.2 response received -- 0ms
192.168.1.2 response received -- 0ms
192.168.1.2 response received -- 0ms


Ok! That fixed that. So these books say that you can't ping through the
pix
without turning icmp on and that is what I thought I was doing, but now I
see
that those commands were using the outside interface not the inside
interface.
(At least I can ping from the pix now! phew!)

The ultimate goal is to get the computer inside (192.168.0.3) to ping the
netgear
router at 192.168.1.2 ... then maybe I can even get the web to work on old
..0.3

Thanks for the troubleshoot!

-Greg








 
Reply With Quote
 
Greg Gibson
Guest
Posts: n/a
 
      11-28-2003
> do a "clear icmp" to remove the icmp restrictions for now and try again.
> if it fails, check arp on both devices.
>
> Rik Bain


pixx(config)# clear icmp
pixx(config)# exit

ping 192.168.1.2
192.168.1.2 response received -- 0ms
192.168.1.2 response received -- 0ms
192.168.1.2 response received -- 0ms


Ok! That fixed that. So these books say that you can't ping through the
pix without turning icmp on and that is what I thought I was doing, but now
I
see that those commands were using the outside interface not the inside
interface. (At least I can ping from the pix now! phew!)

The ultimate goal is to get the computer inside (192.168.0.3) to ping the
netgear
router at 192.168.1.2 ... then maybe I can even get the web to work on old
..0.3

Thanks for the troubleshoot!

-Greg









 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco pix 501 vs 501-50 cdoc Cisco 6 05-20-2006 03:53 AM
PIX 501 <-> PIX 501 - Problem contating private networks on the inside Andre Cisco 7 02-20-2005 07:02 PM
Setup PIX 501 VPN nbaxley Cisco 2 11-24-2004 12:05 PM
Setup of PIX 501 with DSL router Mike McWhinney Cisco 1 10-06-2004 02:54 AM
PIX 501 newbie aaa servers for pix Greg Gibson Cisco 3 05-09-2004 06:33 PM



Advertisments