No Internet Access Cisco Pix 506e

Discussion in 'Cisco' started by [email protected], Jul 9, 2011.


    [email protected]

    Jul 9, 2011
    Likes Received:
    Hoping someone can help me out here. I've got a headache from staring at this config.

    Here's what's happening. I have had this Pix 506e in operation for quite a while that was connecting succesfully to my ISP via DHCP. We decided to get a STATIC I.P. address and that's when trouble started.

    I had it working with no problem but for some reason now nobody on the inside can get out to the internet. I have it configured so I can connect with a Cisco client and that still works ( I can get in from the outside) I think it's something to do with the access-list or NAT but I can't figure it out.

    Here is what is succesful:

    I can login to the router from the outside
    While logged into the router I can ping outside addresses (yahoo, etc)
    While logged into the router I can ping the inside addresses (192.168.170.x)
    PC's can ping the router at
    I can Remote Desktop into PC's on the LAN

    Here is what is unsuccesful:

    I cannot ping addresses outside the LAN from a PC using IP address or name

    Obviously if I can't ping outside addresses I can't reach the outside world.

    Here is my config:

    Building configuration...
    : Saved
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100

    hostname DrG
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25

    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    access-list outside_cryptomap_dyn_20 permit tcp
    access-list nonat permit ip
    access-list nonat permit ip
    access-list nonat permit ip
    access-list 101 permit ip
    access-list acl_in permit icmp any any
    access-list acl_in permit tcp any host eq telnet
    access-list outside-in permit tcp any host 69.92.xx.xx eq 3389
    access-list outside-in permit icmp any any echo-reply
    access-list outside_in permit tcp any any eq 3389
    access-list outside_in permit tcp any any eq 3390
    access-list outside_in permit tcp any any eq 3391
    access-list inside_access_in permit ip
    pager lines 24
    mtu outside 1500
    mtu inside 1500

    ip address outside 69.92.xx.xx
    ip address inside

    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ippool

    no pdm history enable
    arp timeout 14400

    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0 0

    static (inside,outside) tcp interface telnet telnet netmask 0 0

    static (inside,outside) tcp interface pcanywhere-data pcanywhere-data netmask 0 0

    static (inside,outside) udp interface 5631 5631 netmask 0 0

    static (inside,outside) tcp interface 5632 5632 netmask 0 0

    static (inside,outside) udp interface pcanywhere-status pcanywhere-status netmask 0 0

    static (inside,outside) tcp interface sqlnet sqlnet netmask 0 0

    static (inside,outside) tcp interface 3389 3389 netmask 0 0
    static (inside,outside) netmask 0 0

    access-group outside-in in interface outside
    access-group inside_access_in in interface inside
    route outside 1

    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius

    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local

    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec

    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map mymap 10 ipsec-isakmp
    crypto map mymap 10 match address 101
    crypto map mymap 10 set peer
    crypto map mymap 10 set transform-set ESP-3DES-MD5
    crypto map mymap 99 ipsec-isakmp dynamic outside_dyn_map
    crypto map mymap interface outside
    isakmp enable outside
    isakmp key ******** address netmask
    isakmp identity address

    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup remaccess address-pool ippool
    vpngroup remaccess idle-time 1800
    vpngroup remaccess password ********

    telnet inside
    telnet inside

    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn enable outside
    dhcpd dns
    terminal width 80
    : end

    Thanks for help in advance!
    [email protected], Jul 9, 2011
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.