Cisco - Internet Access not working...

11-05-2005, 08:02 PM

Hi, newbie again... I am having issues getting my PIX 506e to allow
internet access. I cannot ping from the inside interface to the outside
interface or gateway, even after opening up ICMP. I have two internal
subnets: 1.0.0.0 and 192.168.2.0. The 192.168.2.0 passes through a
Win2K box set up for routing (1.0.0.241). The configuration is as
follows:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ############ encrypted
passwd ############# encrypted
hostname pixfirewall
domain-name xxxxxxxxxxxxxx.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in remark E-mail inbound
access-list outside_access_in permit tcp interface outside eq smtp host
1.0.0.241 eq smtp
access-list outside_access_in remark FTP Site
access-list outside_access_in permit tcp interface outside eq ftp host
192.168.2.22 eq ftp
access-list outside_access_in remark HTTP Sites
access-list outside_access_in permit tcp interface outside eq www host
1.0.0.241 eq www
access-list outside_access_in remark RDP access to terminal server
access-list outside_access_in permit tcp interface outside eq 33389
host 1.0.0.244 eq 33389
access-list outside_access_in permit udp any eq domain any
access-list inside_access_in remark Default Rule
access-list inside_access_in permit tcp interface inside interface
outside
access-list inside_access_in remark Default UDP Rule
access-list inside_access_in permit udp interface inside interface
outside
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.117 255.255.255.248
ip address inside 1.0.0.3 255.0.0.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 1.0.0.241 255.255.255.255 inside
pdm location 1.0.0.244 255.255.255.255 inside
pdm location 192.168.2.22 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 192.168.2.22 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 1.0.0.241 1.0.0.241 netmask 255.255.255.255 0 0

static (inside,outside) 1.0.0.244 1.0.0.244 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 192.168.2.0 255.255.255.0 1.0.0.241 1
route inside 192.168.2.22 255.255.255.255 1.0.0.241 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 1.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end
[OK]

I'm sure this is obvious, but help please...I suspect a routing issue,
but the routing table seems ok. Second, as you can see I am trying to
make available certain services to Internet users...just want to verify
accuracy of commands.

Thanks...

peterD

11-06-2005, 05:15 PM

I started over and got the Internet working, but as soon as I start
adding routes I have problems. Configuration is still similar to above

peterD

11-06-2005, 05:15 PM

I started over and got the Internet working, but as soon as I start
adding routes I have problems. Configuration is still similar to above

peterD

11-06-2005, 05:15 PM	#2
peterD Posts: n/a	Re: Internet Access not working... I started over and got the Internet working, but as soon as I start adding routes I have problems. Configuration is still similar to above peterD

11-06-2005, 05:15 PM	#3
peterD Posts: n/a	Re: Internet Access not working... I started over and got the Internet working, but as soon as I start adding routes I have problems. Configuration is still similar to above peterD

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Internet was working fine on laptop yesterday; today there is no internet connection	spulliam81	General Help Related Topics	0	09-21-2008 06:26 PM
My Computer Can't Access Internet	BrianKid	General Help Related Topics	7	11-25-2006 12:17 AM
Internet connection not working	Japh84	General Help Related Topics	0	11-12-2006 11:34 PM
setup wireless internet access	Richard	A+ Certification	2	04-03-2006 08:51 AM
Can only access the internet once	Matthew	A+ Certification	0	11-13-2004 05:40 PM

11-05-2005, 08:02 PM	#1
	Internet Access not working... Hi, newbie again... I am having issues getting my PIX 506e to allow internet access. I cannot ping from the inside interface to the outside interface or gateway, even after opening up ICMP. I have two internal subnets: 1.0.0.0 and 192.168.2.0. The 192.168.2.0 passes through a Win2K box set up for routing (1.0.0.241). The configuration is as follows: PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ############ encrypted passwd ############# encrypted hostname pixfirewall domain-name xxxxxxxxxxxxxx.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list outside_access_in remark E-mail inbound access-list outside_access_in permit tcp interface outside eq smtp host 1.0.0.241 eq smtp access-list outside_access_in remark FTP Site access-list outside_access_in permit tcp interface outside eq ftp host 192.168.2.22 eq ftp access-list outside_access_in remark HTTP Sites access-list outside_access_in permit tcp interface outside eq www host 1.0.0.241 eq www access-list outside_access_in remark RDP access to terminal server access-list outside_access_in permit tcp interface outside eq 33389 host 1.0.0.244 eq 33389 access-list outside_access_in permit udp any eq domain any access-list inside_access_in remark Default Rule access-list inside_access_in permit tcp interface inside interface outside access-list inside_access_in remark Default UDP Rule access-list inside_access_in permit udp interface inside interface outside pager lines 24 logging on mtu outside 1500 mtu inside 1500 ip address outside xxx.xxx.xxx.117 255.255.255.248 ip address inside 1.0.0.3 255.0.0.0 ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm pdm location 192.168.1.0 255.255.255.0 inside pdm location 1.0.0.241 255.255.255.255 inside pdm location 1.0.0.244 255.255.255.255 inside pdm location 192.168.2.22 255.255.255.255 inside pdm location 192.168.2.0 255.255.255.0 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 192.168.2.22 255.255.255.255 0 0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 1.0.0.241 1.0.0.241 netmask 255.255.255.255 0 0 static (inside,outside) 1.0.0.244 1.0.0.244 netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside rip inside default version 1 route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1 route inside 192.168.2.0 255.255.255.0 1.0.0.241 1 route inside 192.168.2.22 255.255.255.255 1.0.0.241 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 1.0.0.0 255.0.0.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksumxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx : end [OK] I'm sure this is obvious, but help please...I suspect a routing issue, but the routing table seems ok. Second, as you can see I am trying to make available certain services to Internet users...just want to verify accuracy of commands. Thanks... peterD