No Internet Access Cisco Pix 506e

Discussion in 'Cisco' started by [email protected], Jul 9, 2011.

  1. robert@unetix.net

    [email protected]

    Joined:
    Jul 9, 2011
    Messages:
    1
    Likes Received:
    0
    Hoping someone can help me out here. I've got a headache from staring at this config.

    Here's what's happening. I have had this Pix 506e in operation for quite a while that was connecting succesfully to my ISP via DHCP. We decided to get a STATIC I.P. address and that's when trouble started.

    I had it working with no problem but for some reason now nobody on the inside can get out to the internet. I have it configured so I can connect with a Cisco client and that still works ( I can get in from the outside) I think it's something to do with the access-list or NAT but I can't figure it out.

    Here is what is succesful:

    I can login to the router from the outside
    While logged into the router I can ping outside addresses (yahoo, etc)
    While logged into the router I can ping the inside addresses (192.168.170.x)
    PC's can ping the router at 192.168.170.254
    I can Remote Desktop into PC's on the LAN

    Here is what is unsuccesful:

    I cannot ping addresses outside the LAN from a PC using IP address or name

    Obviously if I can't ping outside addresses I can't reach the outside world.

    Here is my config:

    Building configuration...
    : Saved
    :
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100

    hostname DrG
    domain-name mydomain.net
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25

    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list outside_cryptomap_dyn_20 permit tcp 192.168.170.0 255.255.255.0 192.168.9.0 255.255.255.0
    access-list nonat permit ip 192.168.170.0 255.255.255.0 192.168.9.0 255.255.255.0
    access-list nonat permit ip 192.168.170.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list nonat permit ip 192.168.170.0 255.255.255.0 192.168.0.0 255.255.255.0
    access-list 101 permit ip 192.168.170.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list acl_in permit icmp any any
    access-list acl_in permit tcp any host 69.92.xxx.xxx eq telnet
    access-list outside-in permit tcp any host 69.92.xx.xx eq 3389
    access-list outside-in permit icmp any any echo-reply
    access-list outside_in permit tcp any any eq 3389
    access-list outside_in permit tcp any any eq 3390
    access-list outside_in permit tcp any any eq 3391
    access-list inside_access_in permit ip 192.168.170.0 255.255.255.0 192.168.9.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500

    ip address outside 69.92.xx.xx 255.255.255.0
    ip address inside 192.168.170.254 255.255.255.0

    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ippool 192.168.9.100-192.168.9.200

    no pdm history enable
    arp timeout 14400

    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    static (inside,outside) tcp interface telnet 192.168.170.253 telnet netmask 255.255.255.255 0 0

    static (inside,outside) tcp interface pcanywhere-data 192.168.170.22 pcanywhere-data netmask 255.255.255.255 0 0

    static (inside,outside) udp interface 5631 192.168.170.22 5631 netmask 255.255.255.255 0 0

    static (inside,outside) tcp interface 5632 192.168.170.22 5632 netmask 255.255.255.255 0 0

    static (inside,outside) udp interface pcanywhere-status 192.168.170.22 pcanywhere-status netmask 255.255.255.255 0 0

    static (inside,outside) tcp interface sqlnet 192.168.170.161 sqlnet netmask 255.255.255.255 0 0

    static (inside,outside) tcp interface 3389 192.168.170.40 3389 netmask 255.255.255.255 0 0
    static (inside,outside) 69.92.xxx.xxx 69.92.xxx.xxx netmask 255.255.255.255 0 0

    access-group outside-in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 69.92.99.1 1

    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius

    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local

    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec

    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map mymap 10 ipsec-isakmp
    crypto map mymap 10 match address 101
    crypto map mymap 10 set peer 69.92.xxx.xxx
    crypto map mymap 10 set transform-set ESP-3DES-MD5
    crypto map mymap 99 ipsec-isakmp dynamic outside_dyn_map
    crypto map mymap interface outside
    isakmp enable outside
    isakmp key ******** address 69.92.xxx.xxx netmask 255.255.255.255
    isakmp identity address

    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup remaccess address-pool ippool
    vpngroup remaccess idle-time 1800
    vpngroup remaccess password ********

    telnet 192.168.170.0 255.255.255.0 inside
    telnet 69.92.xxx.xxx 255.255.255.255 inside

    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn enable outside
    dhcpd dns 24.116.2.50 24.116.2.34
    terminal width 80
    Cryptochecksum:35b02d889bed7f1db87b84899ca4dfba
    : end
    [OK]

    Thanks for help in advance!
     
    [email protected], Jul 9, 2011
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.