topic Thanks Marvin & nkarthikeyan in Network Security

PIX501

ciscoceci — Tue, 12 Mar 2019 04:20:08 GMT

Hello,

I have conected a pix to adsl router cisco (ppp chap) with this parameters:

pix:

inside: 192.168.10.xx (LAN)

outside 192.168.1.xx (Managment IP router connected to ADSL)

How i can configure pix to get www from lan pc??

Thanks

Anna

Hi Anna,

nkarthikeyan — Mon, 16 Jun 2014 09:55:24 GMT

Hi Anna,

Make sure you configure interface with IP address properly, name it & assign a security level ( 100 for inside & 0 for outside). After that do nat/pat for the internet access. There you get the internet access for your LAN PC.

global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0 0 0

Hope this helps

Regards

Karthik

Thanks nkarthikeyan, I

ciscoceci — Mon, 16 Jun 2014 21:06:53 GMT

Thanks nkarthikeyan,

I configure as follow below but i don´t have access from a PC with IP 192.168.10.9/24 gw: 192.168.10.254

Could i have any mistake?

thanks Anna.

pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.254 255.255.255.0
ip address inside 192.168.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.250-192.168.1.253 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

The subset of your

Marvin Rhoads — Mon, 16 Jun 2014 22:11:00 GMT

The subset of your configuration that you shared looks OK.

While trying to access the outside, can you get the output of "show xlate" on the Pix?

The upstream router will also be needing to do its own NAT from the 192.168.1.0/24 addresses to something publicly routable.

Hi Anna, R u able to reach

nkarthikeyan — Tue, 17 Jun 2014 16:57:51 GMT

Hi Anna,

R u able to reach internet from firewall.

are you able to ping from FW to 4.2.2.2? or any internet sites??
are u able to ping the gateway address from firewall?
do you have any access-list on the assigned interfaces?

If possible can you provide the complete FW configuration after checking the above things.

HTH

Regards

Karthik

Thanks Marvin & nkarthikeyan

ciscoceci — Tue, 17 Jun 2014 18:24:04 GMT

Thanks Marvin & nkarthikeyan,

response below:

pix501# sh xlate
1 in use, 1 most used
Global 192.168.1.250 Local 192.168.10.9

------------------------------------

pix501# ping 4.2.2.2
   4.2.2.2 NO response received -- 1000ms
   4.2.2.2 NO response received -- 1000ms
   4.2.2.2 NO response received -- 1000ms
pix501# ping 192.168.1.254
   192.168.1.254 response received -- 0ms
   192.168.1.254 response received -- 0ms
   192.168.1.254 response received -- 0ms
pix501# ping 192.168.10.254
   192.168.10.254 response received -- 0ms
   192.168.10.254 response received -- 0ms
   192.168.10.254 response received -- 0ms

---------------------------

pix501# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Oh/B06WiVgeUmuvX encrypted
passwd Oh/B06WiVgeUmuvX encrypted
hostname pix501
domain-name ceci.ct
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.254 255.255.255.0
ip address inside 192.168.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.250-192.168.1.253 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username ceci password 5CwZJAdZ4FVqqjJR encrypted privilege 2
terminal width 80
Cryptochecksum:2c6954d2214415aff5a758c1ece29dc5
: end

Hi Anna, I guess you have

nkarthikeyan — Tue, 17 Jun 2014 18:35:49 GMT

Hi Anna,

I guess you have some problem with the internet connection over there. Do you ahave any option to check directly connect your PC to the model/router and check the internet access.

Also try to ping 192.168.1.1 from firewall and from PC which is the ADSL router assigned IP. So that we can isolate whether the problem with internet or pix.

HTH

Regards

Karthik

So we see you can reach your

Marvin Rhoads — Tue, 17 Jun 2014 18:37:47 GMT

So we see you can reach your default gateway for outside routes and that your NAT is building XLATE entries. That (plus reviewing your config) all indicates your Pix configuration is setup properly.

As I noted earlier "The upstream router will also be needing to do its own NAT from the 192.168.1.0/24 addresses to something publicly routable." I would investigate that device for its NAT setup and operation as it appears to be the issue in this case.