Cisco PIX 501 madness ... help

Discussion in 'Cisco' started by stevo321, Apr 5, 2004.

  1. stevo321

    stevo321 Guest


    I got a problem with my pix that is driving me mad. I have created a
    tunnel from my pix to my checkpoint firewall, and traffic seems to be
    flowing down that pretty well. However my problem arises when I want
    to give people at the pix site access to the internet. They have a
    private network so I know I need to nat. I have tried but nothing
    seems to be happening. According to the manual I shouldnt need any
    acces lists. What I want to do is translate all outbound traffic (not
    meant for the VPN tunnel) to the external address of the pix.

    I have put my config below, any one with any ideas would be much


    orpix01# sh run
    : Saved
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 2KFQnbNIdI.2KYOU encrypted
    passwd xLYvCzQzfWK01Tnh encrypted
    hostname orpix01
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    object-group service WebServices tcp
    description Allow services to allow web surfing
    port-object eq www
    port-object eq https
    access-list VPN-Nets permit ip
    access-list VPN-Nets permit ip
    access-list VPN-Nets permit ip
    access-list VPN-Nets permit ip
    access-list VPN-Nets-In permit ip
    access-list VPN-Nets-In permit ip
    access-list Outbound permit ip any
    pager lines 24
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside 212.148.x.y
    ip address inside
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 212.148.x.z
    nat (inside) 0 access-list VPN-Nets
    nat (inside) 1 0 0
    access-group VPN-Nets in interface outside
    access-group Outbound in interface inside
    route outside 212.148.x.w 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 62.130.b.c outside
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map fw-dss-derwent 10 ipsec-isakmp
    crypto map fw-dss-derwent 10 match address VPN-Nets
    crypto map fw-dss-derwent 10 set peer 195.105.m.n
    crypto map fw-dss-derwent 10 set transform-set ESP-3DES-SHA
    crypto map fw-dss-derwent interface outside
    isakmp enable outside
    isakmp key ******** address 195.105.m.n netmask
    isakmp identity address
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet inside
    telnet timeout 5
    ssh 62.130.b.c outside
    ssh timeout 5
    management-access outside
    console timeout 0
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    : end
    stevo321, Apr 5, 2004
    1. Advertisements

  2. Try:

    global (outside) 1 interface
    Jyri Korhonen, Apr 5, 2004
    1. Advertisements

  3. stevo321

    stevo321 Guest

    Cheers for the suggestion.

    OK I have deleted my old global line and replaced it with the one you
    suggested. However nothing seems to be happening. Has anyone got any
    other ideas.

    How do I debug NAT to see whats going on?

    stevo321, Apr 6, 2004
  4. You do have the following lines?

    access-list NONAT <your-local-net> <netmask> <ipsec-dest-net> <netmask>

    global (outside) 1 interface
    nat (inside) 0 access-list <name of access-list that holds IPSEC raffic>
    nat (inside) 1 <your-local-net> <netmask> 0 0

    I use this and works like a charm. I combine IPSEC and PAT on one fixed
    IP and these are the three crucial lines.

    Raymond Doetjes, Apr 6, 2004
  5. access-list Outbound permit ip any
    global (outside) 1 interface
    nat (inside) 1 0 0
    access-group Outbound in interface inside

    This should be enough if the inside hosts are in IP range 192.168.33.x
    However this line

    access-group VPN-Nets in interface outside

    is unnecessary and can cause problems. Remove it.
    show xlate


    logging on
    logging buffered debug
    show logging [<-frequently]
    Jyri Korhonen, Apr 6, 2004
  6. stevo321

    stevo321 Guest

    Its working .....

    In the end I did clear xlate and everything seemed to spring into life.

    Thanks for all the help everybody, its seriously appreciated!


    stevo321, Apr 11, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.