topic Re: Basic Pix config not working. Can anyone help!??!! in Network Security

Basic Pix config not working. Can anyone help!??!!

ddevecka — Fri, 21 Feb 2020 06:45:34 GMT

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

This is the config.

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXXXXXX encrypted

passwd XXXXXXXXX encrypted

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

names

pager lines 24

logging on

no logging timestamp

no logging standby

no logging console

no logging monitor

no logging buffered

no logging trap

no logging history

logging facility 20

logging queue 512

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside nnn.nn.nnn.199 255.255.255.19

ip address inside 192.168.121.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

global (outside) 1 nnn.nn.nnn.230-nnn.nn.nnn.232 netmask 255.255.255.19

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 nnn.nn.nnn.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

isakmp identity address

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:

: end

Re: Basic Pix config not working. Can anyone help!??!!

mostiguy — Thu, 22 May 2003 18:45:18 GMT

Your subnet mask on your outside interface and global pool is wrong. 255.255.255.19 is not an acceptible mask.

Even if you meant 255.255.255.192, it won't work because your route outside statement doesn't point to a host in the same subnet as the external interface.

Is 210.44.136.1 your route to the internet? Do you have the full class C of 210.44.136.0 ? If so, 255.255.255.0 is the subnet mask you should use

Re: Basic Pix config not working. Can anyone help!??!!

sampathsr — Tue, 27 May 2003 15:13:27 GMT

Hi:

When you say not working - what is not working?

I don't see a problem with your configuration. When you say it is not working, is it that the internal users are not able to connect to the Internet (outside)?

It could be as simple as this: your inside interface is x.x.x.2 , usually it is set as x.x.x.1 - so either you have one more device with x.x.x.1 and hence the issue is not with the PIX at all OR simply it is a type and hence change this inside IP to x.x.x.1 or change the default gateway on the inside hosts to x.x.x.2

hope this helps

Best regards / Sampath.

Srengarajan@att.com

Re: Basic Pix config not working. Can anyone help!??!!

dnagarajachary — Tue, 27 May 2003 16:49:32 GMT

There is no route statement for return traffic. You have to give

route inside command so that the outside traffic can reach your inside network (only allowed).

-Deepu

Re: Basic Pix config not working. Can anyone help!??!!

sampathsr — Tue, 27 May 2003 17:38:48 GMT

Hi:

1. Not true. If the traffic is only originatting from the inside to the outside, then only a route outside statement would suffice

2. If you are using the PIX as a DHCP client to 'pick-up' a dynamic IP address on the outside interface (such as when the PIX connecting to a cable-modem), you don't even need an explicit route outside statement; instead you could just say:

ip address outside dhcp setroute

Hope this clarifies.

Best regards / Sampath.

Srengarajan@att.com

Re: Basic Pix config not working. Can anyone help!??!!

rahil.patel — Fri, 06 Feb 2004 23:22:31 GMT

PIX cannot do routing by default. It needs to be told where to send the packets & from what interface.Your internal network 192.168.121.0/24 needs to be specified using the route inside statement in your config.

Re: Basic Pix config not working. Can anyone help!??!!

baileja — Sat, 07 Feb 2004 02:51:34 GMT

Actually the PIX "WILL" route to every subnet it is apart of (just like a router). You may not see it in the config but if you issue the command show route, you will see it as connected vice static. Also, to the person who posted this, you must give us more information on what your problem is. Do you have zero connectivity through the PIX? If so, I see you didnt post the top lines of the config. By default, the interfaces of a PIX are shutdown, you must issue the interface ethernet0 auto (or whatever the interface is and speed/duplex you want) to "unshut" the interface. If you have some connectivity, let us know what the deal is. Can you surf web? What kind of connection do you have out? A static IP through an ISP or is this a home cable/dsl connection that provides you DHCP? Can you ping from the pix to inside and pix to outside? We need more info to help you out.

Re: Basic Pix config not working. Can anyone help!??!!

rjackson — Sat, 07 Feb 2004 03:46:49 GMT

The documentation clearly says that the PIX is NOT a router.

It is not routing to send a packet to a connected interface. Any host will do that.

The mask on the outside interface and the global statement that references it is bad. Other than that please describe the problem

Re: Basic Pix config not working. Can anyone help!??!!

baileja — Sun, 08 Feb 2004 06:23:31 GMT

You are correct in saying the PIX is not a router. But by specifying an ip address on the inside, and an IP address on the outside, you do not need to add the "Route" command to get packets from outside to in. The PIX will do this on its own. I have about 6 PIX's doing this now. And I think the mask provided in the config above is a typo. I dont believe the PIX will accept this argument.