PIX 501 problem...

ryan — Fri, 21 Feb 2020 08:32:59 GMT

Ok I am about to pull out my hair over this. I have a PIX 501 setup at a remote office. I will have a tunnel setup to connect back out other office which uses a PIX 501 also. At this point I am not conecerned about the VPN tunnel. Basically PC's that have 192.168.5.x address will use the tunnel and pc's that have 192.168.7.x address will simply be able to get onto the internet via the DSL that the PIX uses. The PIX has a static public ip address on the external interface. The internal interface has an ip of 192.168.5.1. I have one machine plugged into the pix with an ip of 192.168.7.50 subnet of 255.255.248.0 and a gw of 192.168.5.1. From this machine I try and ping anything on the internet and get request timed out. I also cannot surf. It was my understanding that PIX's allow all outbound traffic which really has me confused. So I told the inside computer to ping a linux box on the net back at my main office and watched. That linux box indeed get's the packet and replies back yet the internal host is not getting the reply. If I ssh onto the pix I can ping anything on the internet and it replies just fine. So somewhere on the pix something is stopping traffic and I have no idea what. I have tried adding some acess-list to no avail. I am new to this and would really appreciate any help. Here is my config.

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname houston

domain-name <bleh.com>

fixup protocol ftp 21

fixup protocol http 80

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 80 permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 80 permit ip 192.168.5.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 50 permit icmp any any

access-list 50 permit icmp any any unreachable

access-list 50 permit icmp any any time-exceeded

access-list 50 permit icmp any any echo-reply

access-list 50 permit tcp any interface outside eq www

access-list 50 permit tcp any interface outside eq domain

access-list 50 permit icmp any any source-quench

access-list 50 permit icmp any any parameter-problem

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside <pix wan ip> 255.255.255.248

ip address inside 192.168.5.1 255.255.248.0

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

global (outside) 1 <dsl modem ip/pix gateway>

nat (inside) 0 access-list 80

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 50 in interface outside

route outside 0.0.0.0 0.0.0.0 <dsl modem ip/pix gateway> 1

route inside 192.168.5.0 255.255.255.0 192.168.5.1 1

route inside 192.168.7.0 255.255.255.0 192.168.5.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-3des esp-sha-hmac

crypto map site2 10 ipsec-isakmp

crypto map site2 10 match address 80

crypto map site2 10 set peer <peer ip>

crypto map site2 10 set transform-set strong

crypto map site2 interface outside

isakmp enable outside

isakmp key <removed> address <peer ip> netmask 255.255.255.255

isakmp identity address

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption 3des

isakmp policy 8 hash sha

isakmp policy 8 group 1

isakmp policy 8 lifetime 86400

ssh 0.0.0.0 0.0.0.0 outside

dhcpd auto_config outside

Re: PIX 501 problem...

gfullage — Mon, 28 Nov 2005 05:35:52 GMT

This is probably your problem:

global (outside) 1

Change it to:

global (outside) 1 interface

The global command defines what IP address all outgoing packets will be PAT'd to. If you PAT them to the same address as your outside ADSL gateway, then when they return they'll be destined for that IP address, and the gateway will get them and think, "huh, what am I supposed to do with this", and drop it.

By using the keyword "interface" on the global command the PIX will PAT everything to it's own outside interface's IP address, so the reply's will come back to that IP address and the PIX will know to forward them on internally.

Remove your two "route inside ...." commands also, they're not needed and will just confuse things.

Re: PIX 501 problem...

ryan — Tue, 29 Nov 2005 03:42:31 GMT

Well that worked perfectly. Thanks for your help.

topic Re: PIX 501 problem... in Network Security

PIX 501 problem...

Re: PIX 501 problem...

Re: PIX 501 problem...