10-06-2007 02:33 PM - edited 03-11-2019 04:21 AM
Hi,
I hope you can help me since I'm having problems configuring my PIX 501. I have set e0 and e1 static ip addresses and they both comm. with their own segments. HOwever, I can't comm. from e1 through e0.
I've set in both NAT (inside) 0 0 0 and outside as well. There are no packet going out from any of both nics.
Please, can you help?
regadrs,
Rod
10-06-2007 09:29 PM
Rodrigo,
Can you post config again, the one attached is not legible, from pix do "show run"
copy and paste in notepad.
if you cannot pass traffic from inside towards outside if becasue you probably
need to enable global PAT and instruc pix that any traffic from inside passing through e0 will be PATed or NATed. If this is indeed the problem you can simply enable global NAT.
global (outside) 1 interface
Or
say if you have 10 available outside ip addresses and use the block as a global NAT pool you could do:
global (outside) 1 10.10.10.1-10.10.10.9 "global NAT pool"
global (outside) 1 10.10.10.10 "sigle gobal PAT "
for communicating from e0 or oustide to inside use static NAT and acl to permit traffic from outside to inside.
Rgds
Jorge
10-07-2007 05:36 AM
Sure!
Sorry, I didn't realize how bad it was. I'll put it here:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 e0 security10
nameif ethernet1 e1 security99
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd CRA9.3/nTx371PLg encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type icmp_traffic
icmp-object echo-reply
icmp-object source-quench
icmp-object unreachable
icmp-object time-exceeded
access-list PERMIT_IN permit icmp any any object-group icmp_traffic
access-list no-nat permit ip 192.168.1.0 255.255.255.0 any
access-list no-nat permit ip 83.244.174.208 255.255.255.240 any
access-list no-nat permit ip 83.244.174.208 255.255.255.240 192.168.1.0 255.255.
255.0
pager lines 24
mtu e0 1500
mtu e1 1500
ip address e0 2.2.2.2 255.255.255.0
ip address e1 1.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.240 e0
pdm logging informational 100
pdm history enable
arp timeout 14400
global (e0) 1 interface
global (e1) 1 interface
static (e0,e1) 83.244.174.208 192.168.1.0 netmask 255.255.255.240 0 0
<--- More --->
static (e1,e0) 192.168.1.1 192.168.1.1 netmask 255.255.255.255 0 0
route e0 0.0.0.0 0.0.0.0 83.244.174.210 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 e1
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 4.4.4.0 255.255.255.0 e0
telnet 1.1.1.0 255.255.255.0 e1
telnet timeout 5
<--- More --->
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:7a19dc61cf2cb837c3270b5981f1be45
: end
thank you in advance
Rod.
10-07-2007 05:55 AM
Jorge,
Im a little confused on the NAT and PAT but this is what happens when I put the commnad.
e0=2.2.2.2 =>outside
e1=1.1.1.1 =>inside
pixfirewall(config)# global (e0) 1 1.1.1.1
Global 1.1.1.1 will be Port Address Translated
pixfirewall(config)# 105: ICMP echo-request from e1:1.1.1.2 to 2.2.2.2 ID=512 se
q=2304 length=40
106: ICMP echo-request from e1:1.1.1.2 to 2.2.2.2 ID=512 seq=2560 length=40
107: ICMP echo-request from e1:1.1.1.2 to 2.2.2.2 ID=512 seq=2816 length=40
108: ICMP echo-request from e1:1.1.1.2 to 2.2.2.2 ID=512 seq=3072 length=40
that's the result of the icmp debug. However, even though it sees the packets on the client side it times out also on the PIX.
thanks,
Rod
10-07-2007 07:20 AM
Rod, a bit of an odd configuration as one usually expect to configure e0 as "outside"
interface and e1 as "inside" interface, one have to flip the switch to think ther other
way around, I would suspect since you are no passing outbouond traffic through outside interface that this pix is not in production, if this is the case I would wipe out complete config and start from scratch and do it right with "e0 name outside" and "e1 name inside",
since your config is very small it should not take that long, or if you want to leave
it as such we can still troubleshoot. Also your e1 outside interface IP of 1.1.1.1/24
is not on the same IP block where you default route to 83.244.174.210, normally pix outside
interface should be in the same 83.244.174.0 network. Is your external interface sort
of connecting to a DSL or cablemodem line where you get DHCP from ISP? can you elaborate
on the external connection?
On another note you don't have nat inside configured, with two interface inside outside.
no nat, you have default route mistaken, before you try these commands, from the
pix can you ping 83.244.174.210 ? if not correct with bellow defualt route.
With nat (e0) 0 2.2.2.0 255.255.255.0 will let inside IP addresses be recognized
on the outside network and inside IPs start outbound connections.
Try these :
nat (e0) 0 2.2.2.0 255.255.255.0
no route e0 0.0.0.0 0.0.0.0 83.244.174.210 1
route e1 0.0.0.0 0.0.0.0 83.244.174.210 1
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: