Cisco PIX 501 madness ... help

Discussion in 'Cisco' started by stevo321, Apr 5, 2004.

  1. stevo321

    stevo321 Guest

    Hello

    I got a problem with my pix that is driving me mad. I have created a
    tunnel from my pix to my checkpoint firewall, and traffic seems to be
    flowing down that pretty well. However my problem arises when I want
    to give people at the pix site access to the internet. They have a
    private network so I know I need to nat. I have tried but nothing
    seems to be happening. According to the manual I shouldnt need any
    acces lists. What I want to do is translate all outbound traffic (not
    meant for the VPN tunnel) to the external address of the pix.

    I have put my config below, any one with any ideas would be much
    appreciated.

    Thanks

    orpix01# sh run
    : Saved
    :
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 2KFQnbNIdI.2KYOU encrypted
    passwd xLYvCzQzfWK01Tnh encrypted
    hostname orpix01
    domain-name xderwentsharedservices.nhs.uk
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    object-group service WebServices tcp
    description Allow services to allow web surfing
    port-object eq www
    port-object eq https
    access-list VPN-Nets permit ip 192.168.33.0 255.255.255.0 172.16.0.0
    255.255.0.0
    access-list VPN-Nets permit ip 192.168.33.0 255.255.255.0 172.26.0.0
    255.255.0.0
    access-list VPN-Nets permit ip 172.16.0.0 255.255.0.0 192.168.33.0
    255.255.255.0
    access-list VPN-Nets permit ip 172.26.0.0 255.255.0.0 192.168.33.0
    255.255.255.0
    access-list VPN-Nets-In permit ip 172.16.0.0 255.255.0.0 192.168.33.0
    255.255.255.0
    access-list VPN-Nets-In permit ip 172.26.0.0 255.255.0.0 192.168.33.0
    255.255.255.0
    access-list Outbound permit ip 192.168.33.0 255.255.255.0 any
    pager lines 24
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside 212.148.x.y 255.255.255.192
    ip address inside 192.168.33.254 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 212.148.x.z
    nat (inside) 0 access-list VPN-Nets
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group VPN-Nets in interface outside
    access-group Outbound in interface inside
    route outside 0.0.0.0 0.0.0.0 212.148.x.w 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 62.130.b.c 255.255.255.128 outside
    http 192.168.33.1 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map fw-dss-derwent 10 ipsec-isakmp
    crypto map fw-dss-derwent 10 match address VPN-Nets
    crypto map fw-dss-derwent 10 set peer 195.105.m.n
    crypto map fw-dss-derwent 10 set transform-set ESP-3DES-SHA
    crypto map fw-dss-derwent interface outside
    isakmp enable outside
    isakmp key ******** address 195.105.m.n netmask 255.255.255.255
    isakmp identity address
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet 192.168.33.1 255.255.255.255 inside
    telnet timeout 5
    ssh 62.130.b.c 255.255.255.128 outside
    ssh timeout 5
    management-access outside
    console timeout 0
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    Cryptochecksum:c0c1abd34651f91c2dee364b7f02de6e
    : end
    orpix01#
     
    stevo321, Apr 5, 2004
    #1
    1. Advertising

  2. "stevo321" <> wrote:

    > What I want to do is translate all outbound traffic (not meant
    > for the VPN tunnel) to the external address of the pix.
    >
    > global (outside) 1 212.148.x.z


    Try:

    global (outside) 1 interface
     
    Jyri Korhonen, Apr 5, 2004
    #2
    1. Advertising

  3. stevo321

    stevo321 Guest

    Cheers for the suggestion.

    OK I have deleted my old global line and replaced it with the one you
    suggested. However nothing seems to be happening. Has anyone got any
    other ideas.

    How do I debug NAT to see whats going on?

    Thanks
     
    stevo321, Apr 6, 2004
    #3
  4. You do have the following lines?

    access-list NONAT <your-local-net> <netmask> <ipsec-dest-net> <netmask>

    global (outside) 1 interface
    nat (inside) 0 access-list <name of access-list that holds IPSEC raffic>
    nat (inside) 1 <your-local-net> <netmask> 0 0

    I use this and works like a charm. I combine IPSEC and PAT on one fixed
    IP and these are the three crucial lines.

    Raymond


    stevo321 wrote:
    > Cheers for the suggestion.
    >
    > OK I have deleted my old global line and replaced it with the one you
    > suggested. However nothing seems to be happening. Has anyone got any
    > other ideas.
    >
    > How do I debug NAT to see whats going on?
    >
    > Thanks
     
    Raymond Doetjes, Apr 6, 2004
    #4
  5. "stevo321" <> wrote:

    > OK I have deleted my old global line and replaced it with the one you
    > suggested. However nothing seems to be happening. Has anyone got any
    > other ideas.


    access-list Outbound permit ip 192.168.33.0 255.255.255.0 any
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group Outbound in interface inside

    This should be enough if the inside hosts are in IP range 192.168.33.x
    However this line

    access-group VPN-Nets in interface outside

    is unnecessary and can cause problems. Remove it.

    > How do I debug NAT to see whats going on?


    show xlate

    or

    logging on
    logging buffered debug
    show logging [<-frequently]
     
    Jyri Korhonen, Apr 6, 2004
    #5
  6. stevo321

    stevo321 Guest

    Its working .....

    In the end I did clear xlate and everything seemed to spring into life.

    Thanks for all the help everybody, its seriously appreciated!

    Steve

    "Jyri Korhonen" <> wrote in message news:<lwEcc.2422$>...
    > "stevo321" <> wrote:
    >
    > > OK I have deleted my old global line and replaced it with the one you
    > > suggested. However nothing seems to be happening. Has anyone got any
    > > other ideas.

    >
    > access-list Outbound permit ip 192.168.33.0 255.255.255.0 any
    > global (outside) 1 interface
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > access-group Outbound in interface inside
    >
    > This should be enough if the inside hosts are in IP range 192.168.33.x
    > However this line
    >
    > access-group VPN-Nets in interface outside
    >
    > is unnecessary and can cause problems. Remove it.
    >
    > > How do I debug NAT to see whats going on?

    >
    > show xlate
    >
    > or
    >
    > logging on
    > logging buffered debug
    > show logging [<-frequently]
     
    stevo321, Apr 11, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andrew J Instone-Cowie

    Cisco VPN through a PIX 501 to another PIX?

    Andrew J Instone-Cowie, Jan 20, 2004, in forum: Cisco
    Replies:
    5
    Views:
    4,142
    Andrew J Instone-Cowie
    Jan 22, 2004
  2. Kai
    Replies:
    1
    Views:
    860
    Walter Roberson
    May 14, 2004
  3. Andre
    Replies:
    7
    Views:
    740
    Andre
    Feb 20, 2005
  4. cdoc

    Cisco pix 501 vs 501-50

    cdoc, May 19, 2006, in forum: Cisco
    Replies:
    6
    Views:
    659
    Walter Roberson
    May 20, 2006
  5. InetSecurity
    Replies:
    0
    Views:
    1,358
    InetSecurity
    Jun 23, 2006
Loading...

Share This Page