pix 501 setup trouble newbie

Discussion in 'Cisco' started by Greg Gibson, Nov 27, 2003.

  1. Greg Gibson

    Greg Gibson Guest

    I have three books, and just can't get this pix 501 to go!

    I have 1 computer on the inside interface at 192.168.0.3 /24 and the pix
    inside is 192.168.0.1 /24

    The pix outside is 192.168.1.1 and it is connected to a dsl router at
    192.168.1.2 which goes to the dsl modem.

    I cannot ping from the pix to 192.168.1.2 (its default route or next hop
    out!)

    It is now the case that the computer at 192.168.0.3 is trying for a long
    time to get out to www.msn.com, but fails.

    I have turned on ethenet0 and ethernet1 with interface (removing shutdown)
    Used nameif to set the security 100 and 0 respectively
    Set a default route to 192.168.1.2
    Turned off nat, established the following access list for that:

    pixx# show nat
    nat (inside) 0 access-list inside_public
    pixx# show access-list
    access-list inside_public; 1 elements
    access-list inside_public permit ip 192.168.0.0 255.255.255.0 any
    (hitcnt=93)
    pixx#
    pixx# show route
    outside 0.0.0.0 0.0.0.0 192.168.1.2 1 OTHER static
    inside 192.168.0.0 255.255.255.0 192.168.0.1 1 CONNECT static
    outside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
    pixx#

    (I notice that the above ranges look a little small, are they the problem?)

    Turned on icmp through the router:

    icmp permit 192.168.0.0 255.255.255.0 echo-reply outside
    icmp permit any unreachable outside

    Of course, I really appreciate the time it takes to reply.

    Thanks,

    Greg

    Here is the "write terminal" setup....

    PIX Version 6.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname pixx
    domain-name gsgi.homeunix.org
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names
    access-list inside_public permit ip 192.168.0.0 255.255.255.0 any
    interface ethernet0 10baset
    interface ethernet1 10full
    icmp permit 192.168.0.0 255.255.255.0 echo-reply outside
    icmp permit any unreachable outside
    mtu outside 1500
    mtu inside 1500
    ip address outside 192.168.1.1 255.255.255.0
    ip address inside 192.168.0.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    nat (inside) 0 access-list inside_public
    route outside 0.0.0.0 0.0.0.0 192.168.1.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 si
    p 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    no sysopt route dnat
    telnet timeout 5
    ssh timeout 5
    terminal width 80
    Cryptochecksum:4235cf79ebc381a02e043ee70e34332e
    : end
    [OK]
    Greg Gibson, Nov 27, 2003
    #1
    1. Advertising

  2. In article <kHtxb.969$>,
    Greg Gibson <> wrote:
    :I have three books, and just can't get this pix 501 to go!

    :I cannot ping from the pix to 192.168.1.2 (its default route or next hop
    :eek:ut!)

    :access-list inside_public permit ip 192.168.0.0 255.255.255.0 any
    :ip address outside 192.168.1.1 255.255.255.0
    :ip address inside 192.168.0.1 255.255.255.0
    :nat (inside) 0 access-list inside_public
    :route outside 0.0.0.0 0.0.0.0 192.168.1.2 1

    nat 0 access-lists are to be interpreted with the first group being
    the source address from inside, and the second group being
    the destination. Your list uses 192.168.0.0/24 as the source,
    but no traffic from inside is going to match that, so that ACL is
    not going to be used in practice.

    Meanwhile, you have no nat/global pair for any other traffic, so the
    PIX isn't going to know how to translate 192.168.1.0/24 traffic
    as it goes out, so the PIX is going to drop that traffic.

    I would suggest that you stick with nat/global pairs, and static, until
    such time as you are setting up VPNs.
    --
    Usenet is one of those "Good News/Bad News" comedy routines.
    Walter Roberson, Nov 27, 2003
    #2
    1. Advertising

  3. Greg Gibson

    Brian Bergin Guest

    "Greg Gibson" <> wrote:

    |I have three books, and just can't get this pix 501 to go!
    |
    |I have 1 computer on the inside interface at 192.168.0.3 /24 and the pix
    |inside is 192.168.0.1 /24
    |
    |The pix outside is 192.168.1.1 and it is connected to a dsl router at
    |192.168.1.2 which goes to the dsl modem.
    |
    |I cannot ping from the pix to 192.168.1.2 (its default route or next hop
    |out!)

    First I would suggest seeing if you can get your DSL modem in bridged mode and
    not NAT mode. Almost every DSL modem I've seen can be put in bridge mode. Your
    ISP won't be thrilled when you call, but you also won't run into the problems
    NAT behind NAT can cause.

    Thanks...
    Brian Bergin

    I can be reached via e-mail at
    cisco_dot_news_at_comcept_dot_net.

    Please post replies to the group so all may benefit.
    Brian Bergin, Nov 28, 2003
    #3
  4. Greg Gibson

    Rik Bain Guest

    On Thu, 27 Nov 2003 15:06:24 -0600, Greg Gibson wrote:

    > I have three books, and just can't get this pix 501 to go!
    >
    > I have 1 computer on the inside interface at 192.168.0.3 /24 and the pix
    > inside is 192.168.0.1 /24
    >
    > The pix outside is 192.168.1.1 and it is connected to a dsl router at
    > 192.168.1.2 which goes to the dsl modem.
    >
    > I cannot ping from the pix to 192.168.1.2 (its default route or next hop
    > out!)
    >
    > It is now the case that the computer at 192.168.0.3 is trying for a long
    > time to get out to www.msn.com, but fails.
    >
    > I have turned on ethenet0 and ethernet1 with interface (removing
    > shutdown) Used nameif to set the security 100 and 0 respectively Set a
    > default route to 192.168.1.2
    > Turned off nat, established the following access list for that:
    >
    > pixx# show nat
    > nat (inside) 0 access-list inside_public pixx# show access-list
    > access-list inside_public; 1 elements access-list inside_public permit
    > ip 192.168.0.0 255.255.255.0 any (hitcnt=93) pixx#
    > pixx# show route
    > outside 0.0.0.0 0.0.0.0 192.168.1.2 1 OTHER static inside
    > 192.168.0.0 255.255.255.0 192.168.0.1 1 CONNECT static outside
    > 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
    > pixx#
    >
    > (I notice that the above ranges look a little small, are they the
    > problem?)
    >
    > Turned on icmp through the router:
    >
    > icmp permit 192.168.0.0 255.255.255.0 echo-reply outside icmp permit any
    > unreachable outside
    >
    > Of course, I really appreciate the time it takes to reply.
    >
    > Thanks,
    >
    > Greg


    Does the dsl router have a route to 192.168.0.0/24?
    Rik Bain, Nov 28, 2003
    #4
  5. Greg Gibson

    Greg Gibson Guest


    > Does the dsl router have a route to 192.168.0.0/24?


    It is just a dumb netgear dsl router. So no, the netgear doesn't have a
    route to 192.168.0.0 /24?

    But, even if that is a problem, it still wouldn't explain
    why I can't ping 192.168.1.2 from 'outside' on the
    pix which is 192.168.1.1, would it?

    I really appreciate the time it takes to reply.

    Thanks,

    -Greg
    Greg Gibson, Nov 28, 2003
    #5
  6. Greg Gibson

    Rik Bain Guest

    On Thu, 27 Nov 2003 20:37:48 -0600, Greg Gibson wrote:



    >> Does the dsl router have a route to 192.168.0.0/24?

    >
    > It is just a dumb netgear dsl router. So no, the netgear doesn't have a
    > route to 192.168.0.0 /24?
    >
    > But, even if that is a problem, it still wouldn't explain why I can't
    > ping 192.168.1.2 from 'outside' on the pix which is 192.168.1.1, would
    > it?
    >
    > I really appreciate the time it takes to reply.
    >
    > Thanks,
    >
    > -Greg


    you will need a route to 192.168.0.0/24 on the netgear or it wont be able
    to talk to the internal hosts.

    as for not being able to ping directly connected devices, your icmp
    policy does not allow it. you are permitting 192.168.0.0/24 and the
    reply will come from the 192.168.1.0/24 network.

    do a "clear icmp" to remove the icmp restrictions for now and try again.
    if it fails, check arp on both devices.


    Rik Bain
    Rik Bain, Nov 28, 2003
    #6
  7. Greg Gibson

    Greg Gibson Guest

    "Walter Roberson" <-cnrc.gc.ca>

    nat 0 access-lists are to be interpreted with the first group being
    > the source address from inside, and the second group being
    > the destination. Your list uses 192.168.0.0/24 as the source,
    > but no traffic from inside is going to match that, so that ACL is
    > not going to be used in practice.
    >
    > Meanwhile, you have no nat/global pair for any other traffic, so the
    > PIX isn't going to know how to translate 192.168.1.0/24 traffic
    > as it goes out, so the PIX is going to drop that traffic.
    >
    > I would suggest that you stick with nat/global pairs, and static, until
    > such time as you are setting up VPNs.


    I guess I'm going to need quite a bit of hand holding here. How is it that
    the
    computer on the inside at 192.168.0.3 /24 doesn't match the acl of
    192.168.0.0 /24?

    Now that I think about it, without telling the netgear dsl router to default
    route
    to 192.168.1.1 it may be tricky to get the pix to sit behind the netgear.
    Oh, maybe I'll make 192.168.1.1 (pix outside) the dmz on the netgear.

    All I wanted to do was to turn off NAT and have it firewall behind the
    netgear
    for a few machines attached to the pix (on the inside) while I play with it.
    i.e. learn about it...

    I appreciate your input.

    Thanks,
    Greg

    >> --

    > Usenet is one of those "Good News/Bad News" comedy routines.
    Greg Gibson, Nov 28, 2003
    #7
  8. Greg Gibson

    Greg Gibson Guest

    "Brian Bergin" <_domain> wrote in message

    > First I would suggest seeing if you can get your DSL modem in bridged mode

    and
    > not NAT mode. Almost every DSL modem I've seen can be put in bridge mode.

    Your
    > ISP won't be thrilled when you call, but you also won't run into the

    problems
    > NAT behind NAT can cause.
    >
    > Thanks...
    > Brian Bergin
    >


    Ummm, the dsl modem isn't doing NAT, the Netgear DSL router is doing the
    NAT
    and I just don't think I can turn that off. This is why my first attempt
    was to turn
    off NAT on the pix, to avoid double NAT, or more precisely perhaps, double
    PAT.
    Other than the fact that it seems weird, what bad things will double PAT do?

    I appreciate your input.

    Thanks,

    Greg
    Greg Gibson, Nov 28, 2003
    #8
  9. Greg Gibson

    Greg Gibson Guest

    > do a "clear icmp" to remove the icmp restrictions for now and try again.
    > if it fails, check arp on both devices.
    >
    > Rik Bain


    pixx(config)# clear icmp
    pixx(config)# exit

    ping 192.168.1.2
    192.168.1.2 response received -- 0ms
    192.168.1.2 response received -- 0ms
    192.168.1.2 response received -- 0ms


    Ok! That fixed that. So these books say that you can't ping through the
    pix
    without turning icmp on and that is what I thought I was doing, but now I
    see
    that those commands were using the outside interface not the inside
    interface.
    (At least I can ping from the pix now! phew!)

    The ultimate goal is to get the computer inside (192.168.0.3) to ping the
    netgear
    router at 192.168.1.2 ... then maybe I can even get the web to work on old
    ..0.3 :)

    Thanks for the troubleshoot!

    -Greg
    Greg Gibson, Nov 28, 2003
    #9
  10. Greg Gibson

    Greg Gibson Guest

    > do a "clear icmp" to remove the icmp restrictions for now and try again.
    > if it fails, check arp on both devices.
    >
    > Rik Bain


    pixx(config)# clear icmp
    pixx(config)# exit

    ping 192.168.1.2
    192.168.1.2 response received -- 0ms
    192.168.1.2 response received -- 0ms
    192.168.1.2 response received -- 0ms


    Ok! That fixed that. So these books say that you can't ping through the
    pix without turning icmp on and that is what I thought I was doing, but now
    I
    see that those commands were using the outside interface not the inside
    interface. (At least I can ping from the pix now! phew!)

    The ultimate goal is to get the computer inside (192.168.0.3) to ping the
    netgear
    router at 192.168.1.2 ... then maybe I can even get the web to work on old
    ..0.3 :)

    Thanks for the troubleshoot!

    -Greg
    Greg Gibson, Nov 28, 2003
    #10
  11. Greg Gibson

    Rik Bain Guest

    On Thu, 27 Nov 2003 21:11:23 -0600, Greg Gibson wrote:

    >> do a "clear icmp" to remove the icmp restrictions for now and try
    >> again. if it fails, check arp on both devices.
    >>
    >> Rik Bain

    >
    > pixx(config)# clear icmp
    > pixx(config)# exit
    >
    > ping 192.168.1.2
    > 192.168.1.2 response received -- 0ms
    > 192.168.1.2 response received -- 0ms
    > 192.168.1.2 response received -- 0ms
    >
    >
    > Ok! That fixed that. So these books say that you can't ping through
    > the pix without turning icmp on and that is what I thought I was doing,
    > but now I
    > see that those commands were using the outside interface not the inside
    > interface. (At least I can ping from the pix now! phew!)
    >
    > The ultimate goal is to get the computer inside (192.168.0.3) to ping
    > the netgear
    > router at 192.168.1.2 ... then maybe I can even get the web to work on
    > old .0.3 :)
    >
    > Thanks for the troubleshoot!
    >
    > -Greg



    To ping /through/ the pix you will need to permit icmp in an access-list
    or conduit. The icmp command is for pings /to/ or /from/ the pix.

    The netgear will need to know where 192.168.0.0/24 is. Add a static route
    to that network and point it at the pix outside and you should be good to
    go.

    Rik Bain
    Rik Bain, Nov 28, 2003
    #11
  12. Greg Gibson

    Greg Gibson Guest

    OK, the thing is at least working behind the netgear. It is
    doing PAT and so is the netgear. By working I mean, I
    can now browse the web from 192.168.0.3 ...

    here is the setup now:

    global (outside) 1 192.168.1.3 netmask 255.255.255.0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 192.168.1.2 1

    Thanks to everyone who helped!

    -Greg

    "Brian Bergin" <_domain> wrote in message
    news:...
    > "Greg Gibson" <> wrote:
    >
    > |I have three books, and just can't get this pix 501 to go!
    > |
    > |I have 1 computer on the inside interface at 192.168.0.3 /24 and the pix
    > |inside is 192.168.0.1 /24
    > |
    > |The pix outside is 192.168.1.1 and it is connected to a dsl router at
    > |192.168.1.2 which goes to the dsl modem.
    > |
    > |I cannot ping from the pix to 192.168.1.2 (its default route or next hop
    > |out!)
    >
    > First I would suggest seeing if you can get your DSL modem in bridged mode

    and
    > not NAT mode. Almost every DSL modem I've seen can be put in bridge mode.

    Your
    > ISP won't be thrilled when you call, but you also won't run into the

    problems
    > NAT behind NAT can cause.
    >
    > Thanks...
    > Brian Bergin
    >
    > I can be reached via e-mail at
    > cisco_dot_news_at_comcept_dot_net.
    >
    > Please post replies to the group so all may benefit.
    Greg Gibson, Nov 28, 2003
    #12
  13. Greg Gibson

    Brian Bergin Guest

    "Greg Gibson" <> wrote:

    |
    |"Brian Bergin" <_domain> wrote in message
    |
    |> First I would suggest seeing if you can get your DSL modem in bridged mode
    |and
    |> not NAT mode. Almost every DSL modem I've seen can be put in bridge mode.
    |Your
    |> ISP won't be thrilled when you call, but you also won't run into the
    |problems
    |> NAT behind NAT can cause.
    |>
    |> Thanks...
    |> Brian Bergin
    |>
    |
    |Ummm, the dsl modem isn't doing NAT, the Netgear DSL router is doing the
    |NAT
    |and I just don't think I can turn that off. This is why my first attempt
    |was to turn
    |off NAT on the pix, to avoid double NAT, or more precisely perhaps, double
    |PAT.
    |Other than the fact that it seems weird, what bad things will double PAT do?
    |
    |I appreciate your input.
    |
    |Thanks,
    |
    |Greg
    |

    Why do you need the DSL router AND the PIX? Dump the Netgear, it's no match for
    the PIX.

    Thanks...
    Brian Bergin

    I can be reached via e-mail at
    cisco_dot_news_at_comcept_dot_net.

    Please post replies to the group so all may benefit.
    Brian Bergin, Nov 28, 2003
    #13
  14. Greg Gibson

    Brian Bergin Guest

    Greg,

    Please explain why you need the low end Netgear NAT device when you have a
    CLEARLY superior PIX? The PIX can do everything the Netgear can do and MUCH
    MUCH more. Dump the Netgear, config the PIX to do NAT and be done with it.
    Doing NAT behind NAT introduces lots of potential gotcha's and potential
    incompatibilities. Get rid of the $50 Netgear and use the real firewall.

    Of course, IMHO...

    Thanks...
    Brian Bergin

    I can be reached via e-mail at
    cisco_dot_news_at_comcept_dot_net.

    Please post replies to the group so all may benefit.
    Brian Bergin, Nov 28, 2003
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David S
    Replies:
    1
    Views:
    372
    Fahrvergnugen
    Jan 17, 2004
  2. Greg Gibson

    PIX 501 newbie aaa servers for pix

    Greg Gibson, May 6, 2004, in forum: Cisco
    Replies:
    3
    Views:
    543
    Adrian Grigorof
    May 9, 2004
  3. Andre
    Replies:
    7
    Views:
    691
    Andre
    Feb 20, 2005
  4. bizkit777

    Cisco Pix 501 Trouble

    bizkit777, Sep 28, 2006, in forum: General Computer Support
    Replies:
    0
    Views:
    618
    bizkit777
    Sep 28, 2006
  5. bizkit777

    Cisco Pix 501 Trouble

    bizkit777, Sep 28, 2006, in forum: Cisco
    Replies:
    0
    Views:
    426
    bizkit777
    Sep 28, 2006
Loading...

Share This Page