pix 501 - Problem Routing Requests from inside to outside networks

Discussion in 'Cisco' started by RG, Nov 27, 2007.

  1. RG

    RG Guest

    Please, refer to the configuration below. This is the pix default
    configuration. Pix is connecting on the outside interface successfully with
    dhcp. However, I am not able to even resolve external site names from
    internal network. Would anyone be able to tell me what else I need to do
    here?

    Thanks in advance



    CISCO SYSTEMS PIX-501
    Embedded BIOS Version 4.3.200 07/31/01 15:58:22.08
    Compiled by morlee
    16 MB RAM

    PCI Device Table.
    Bus Dev Func VendID DevID Class Irq
    00 00 00 1022 3000 Host Bridge
    00 11 00 8086 1209 Ethernet 9
    00 12 00 8086 1209 Ethernet 10

    Cisco Secure PIX Firewall BIOS (4.2) #6: Mon Aug 27 15:09:54 PDT 2001
    Platform PIX-501
    Flash=E28F640J3 @ 0x3000000

    Use BREAK or ESC to interrupt flash boot.
    Use SPACE to begin flash boot immediately.
    Reading 1974784 bytes of image from flash.
    ################################################################################
    #################################
    16MB RAM
    mcwa i82559 Ethernet at irq 9 MAC: 000d.65c0.c245
    mcwa i82559 Ethernet at irq 10 MAC: 000d.65c0.c246
    Flash=E28F640J3 @ 0x3000000
    BIOS Flash=E28F640J3 @ 0xD8000

    -----------------------------------------------------------------------
    || ||
    || ||
    |||| ||||
    ..:||||||:..:||||||:..
    c i s c o S y s t e m s
    Private Internet eXchange
    -----------------------------------------------------------------------
    Cisco PIX Firewall

    Cisco PIX Firewall Version 6.3(5)
    Licensed Features:
    Failover: Disabled
    VPN-DES: Enabled
    VPN-3DES-AES: Enabled
    Maximum Physical Interfaces: 2
    Maximum Interfaces: 2
    Cut-through Proxy: Enabled
    Guards: Enabled
    URL-filtering: Enabled
    Inside Hosts: 50
    Throughput: Unlimited
    IKE peers: 10

    This PIX has a Restricted (R) license.


    ****************************** Warning *******************************
    Compliance with U.S. Export Laws and Regulations - Encryption.

    This product performs encryption and is regulated for export
    by the U.S. Government.

    This product is not authorized for use by persons located
    outside the United States and Canada that do not have prior
    approval from Cisco Systems, Inc. or the U.S. Government.

    This product may not be exported outside the U.S. and Canada
    either by physical or electronic means without PRIOR approval
    of Cisco Systems, Inc. or the U.S. Government.

    Persons outside the U.S. and Canada may not re-export, resell
    or transfer this product by either physical or electronic means
    without prior approval of Cisco Systems, Inc. or the U.S.
    Government.
    ******************************* Warning *******************************

    Copyright (c) 1996-2005 by Cisco Systems, Inc.

    Restricted Rights Legend

    Use, duplication, or disclosure by the Government is
    subject to restrictions as set forth in subparagraph
    (c) of the Commercial Computer Software - Restricted
    Rights clause at FAR sec. 52.227-19 and subparagraph
    (c) (1) (ii) of the Rights in Technical Data and Computer
    Software clause at DFARS sec. 252.227-7013.

    Cisco Systems, Inc.
    170 West Tasman Drive
    San Jose, California 95134-1706

    outside interface address added to PAT pool

    Cryptochecksum(unchanged): 08d5f7f6 ca8cfac2 9ea8f6b4 fbf84b54
    Type help or '?' for a list of available commands.
    pix501>

    pixfirewall> conf term
    Type help or '?' for a list of available commands.
    pixfirewall> enable
    Password:
    pixfirewall# conf term
    pixfirewall(config)# write term
    Building configuration...
    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pixfirewall
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list inside_access_in permit tcp any any
    access-list inside_access_in permit udp any any
    access-list inside_access_in permit icmp any any
    access-list inside_access_in permit ip any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group inside_access_in in interface inside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.129 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:139096f0d176c715a5fa614ddaa32d0a
    : end
    [OK]
    pixfirewall(config)#
     
    RG, Nov 27, 2007
    #1
    1. Advertising

  2. In article <VLS2j.1$>, "RG" <> writes:
    >Please, refer to the configuration below. This is the pix default
    >configuration. Pix is connecting on the outside interface successfully with
    >dhcp. However, I am not able to even resolve external site names from
    >internal network. Would anyone be able to tell me what else I need to do
    >here?


    >nameif ethernet0 outside security0
    >nameif ethernet1 inside security100


    Here you specify that data from outside is not allowed to inside unless
    explicitely permitted (by an access-list).

    >access-list inside_access_in permit tcp any any
    >access-list inside_access_in permit udp any any
    >access-list inside_access_in permit icmp any any
    >access-list inside_access_in permit ip any any


    This access-list permits everything.

    >global (outside) 1 interface
    >nat (inside) 1 0.0.0.0 0.0.0.0 0 0


    I am not quite sure whether such a statement will work. Try
    nat (inside) 1 192.168.1.0 255.255.255.0
    instead.

    >access-group inside_access_in in interface inside


    This allows everything from inside to outside.
    Perhaps you need a an access-list for the outside interface as well.

    Regards,
    Christoph Gartmann

    --
    Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    Immunbiologie
    Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    D-79011 Freiburg, Germany
    http://www.immunbio.mpg.de/home/menue.html
     
    Christoph Gartmann, Nov 27, 2007
    #2
    1. Advertising

  3. RG

    Roman Guest

    Re: pix 501 - Problem Routing Requests from inside to outsidenetworks

    On Nov 27, 6:42 am, (Christoph
    Gartmann) wrote:
    > In article <VLS2j.1$>, "RG" <> writes:
    > >Please, refer to the configuration below. This is the pix default
    > >configuration. Pix is connecting on the outside interface successfully with
    > >dhcp. However, I am not able to even resolve external site names from
    > >internal network. Would anyone be able to tell me what else I need to do
    > >here?
    > >nameif ethernet0 outside security0
    > >nameif ethernet1 inside security100

    >
    > Here you specify that data from outside is not allowed to inside unless
    > explicitely permitted (by an access-list).
    >
    > >access-list inside_access_in permit tcp any any
    > >access-list inside_access_in permit udp any any
    > >access-list inside_access_in permit icmp any any
    > >access-list inside_access_in permit ip any any

    >
    > This access-list permits everything.
    >
    > >global (outside) 1 interface
    > >nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    >
    > I am not quite sure whether such a statement will work. Try
    > nat (inside) 1 192.168.1.0 255.255.255.0
    > instead.
    >
    > >access-group inside_access_in in interface inside

    >
    > This allows everything from inside to outside.
    > Perhaps you need a an access-list for the outside interface as well.
    >
    > Regards,
    > Christoph Gartmann
    >
    > --
    > Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    > Immunbiologie
    > Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    > D-79011 Freiburg, Germany
    > http://www.immunbio.mpg.de/home/menue.html


    Thanks a lot for your help.

    Actually, ultimately the configuration I posted did work. The problem
    was that I configured a client's dns that of the gateway, pix 501.
    After supplying the wan dns server, everything worked.
     
    Roman, Nov 27, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dan Rice
    Replies:
    9
    Views:
    948
    Dan Rice
    Feb 4, 2005
  2. Andre
    Replies:
    7
    Views:
    770
    Andre
    Feb 20, 2005
  3. marti314
    Replies:
    1
    Views:
    2,125
    Walter Roberson
    Aug 5, 2005
  4. Jack
    Replies:
    0
    Views:
    703
  5. Tyler
    Replies:
    5
    Views:
    1,500
    Marko Uusitalo
    May 22, 2008
Loading...

Share This Page