Cannot access more than one pc (internet), PIX 501

Discussion in 'Cisco' started by tractng@gmail.com, Jun 5, 2005.

  1. Guest

    Guys,

    I can only access the internet (VPN works too) with one pc based on
    this cofigurations. Is it with the static statement?

    Help me out. Btw, this is pix 501. I am using PAT. I tried to change
    the static to 192.168.1.0, but no luck.

    66.159.2xx.xx= STATIC IP (ASSIGN BY ISP)
    192.168.x.x = LOCAL PC

    Tony
    -----------------------------
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100

    fixup protocol esp-ike
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    access-list tunnel-101 permit esp any host 66.159.2xx.xx
    pager lines 24
    logging on
    mtu outside 1500
    mtu inside 1500
    ip address outside 66.159.2xx.xx 255.255.255.0
    ip address inside 192.168.x.x 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 105
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 66.159.2xx.xx 192.168.x.x netmask
    255.255.255.255 0 0
    access-group tunnel-101 in interface outside
    route outside 0.0.0.0 0.0.0.0 66.159.2xx.x 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    isakmp nat-traversal 100
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    hcpd address 192.168.x.x-192.168.x.xx inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    ------------------------------
    , Jun 5, 2005
    #1
    1. Advertising

  2. <> wrote:

    > I can only access the internet (VPN works too) with one pc
    > based on this cofigurations. Is it with the static statement?
    >
    > static (inside,outside) 66.159.2xx.xx 192.168.x.x netmask 255.255.255.255 0 0


    If you have only one global IP address and you put
    on 1-to-1 NAT then that's what will happen. The
    private IP on the static command line will be the
    only one with internet access. Remove the static
    and the rest of the PCs can access internet too.
    Jyri Korhonen, Jun 5, 2005
    #2
    1. Advertising

  3. Guest

    Jyri,

    I did remove it and still cannot access internet with another pc.

    Any idea?


    Tony
    , Jun 5, 2005
    #3
  4. Guest

    Guys,

    I think I solved it (most part). Now I am able to get internet
    connection for more than once pc.

    The only thing is that my VPN (initiation) only works from my
    192.168.1.2 machine, which is my windows 2000 server. I have DNS
    running on that machine.

    So I am guessing its something with DNS in my pix?? Is there any
    limitation on PAT that I have to specify where my VPN (initiation) is
    coming from?

    Below is my config. Thanks for looking.

    ----------------------------------------------------------------------
    PIX Version 6.3(1)
    hardware = PIX501
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100

    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pixfirewall
    domain-name ciscopix.com
    fixup protocol esp-ike
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    access-list tunnel-101 permit esp any host 66.159.2BB.BB
    pager lines 24
    logging on
    mtu outside 1500
    mtu inside 1500
    ip address outside 66.159.2BB.BB 255.255.255.0
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 101
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group tunnel-101 in interface outside
    route outside 0.0.0.0 0.0.0.0 66.159.2BB.A 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    isakmp nat-traversal 100
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.6-192.168.1.33 inside
    dhcpd dns 192.168.1.2
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80

    --------------------------------------------------------

    Tony
    , Jun 6, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Warren Turner
    Replies:
    0
    Views:
    2,154
    Warren Turner
    Jan 9, 2004
  2. David Hodgson

    PIX 501 more than one IP address?

    David Hodgson, Jul 30, 2004, in forum: Cisco
    Replies:
    3
    Views:
    2,579
  3. Andre
    Replies:
    7
    Views:
    710
    Andre
    Feb 20, 2005
  4. Robin Bowes
    Replies:
    8
    Views:
    2,324
    Robin Bowes
    Aug 10, 2005
  5. rfulgham
    Replies:
    6
    Views:
    560
Loading...

Share This Page