cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3075
Views
33
Helpful
38
Replies

PIX 506E PROBLEM

godzilla0
Level 1
Level 1

I'm at job configuring a Cisco PIX 506E, and I have a problem.

The outside interface can't reach the router wich bring the local net to the internet. I don't want anything by now but to reach the internet and do some port forwarding for some local servers. I don't care about any other aspect of the PIX as a firewall because it's a spare and we want it only to replace an old router. Then we want to do IPSEC tunneling but that's another history. By now I only want the PIX to do the same function as the old router. It could be interesting to erase everything and start from scratch . . . this is my configuration data on the old router:

ROUTER IP ADDRESS: 192.169.7.100 netmask 255.255.255.0 ( 192.169.7.0 is the local subnet )

INTERNET IP ADDRESS: 213.x.x.202 netmask 255.0.0.0

GATEWAY: 213.x.178.29

Ok. This is my actual PIX configuration:

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname pixfirewall

domain-name work.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol http 80-88

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list ping-acl remark allow pings on the outside

access-list ping-acl permit icmp any any

access-list inbound permit icmp any any

access-list inbound permit tcp any any eq www

access-list permit_icmp permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 213.x.x.202 255.0.0.0

ip address inside 192.169.7.100 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.169.7.0 255.255.255.0 0 0

access-group permit_icmp in interface outside

conduit permit tcp host 0.0.0.0 eq 81 host 192.169.7.2

route outside 0.0.0.0 0.0.0.0 213.229.178.29 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh 192.169.1.0 255.255.255.0 inside

ssh 192.169.7.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxx

So I can reach the PIX but I can't get out of it to the inet. I don't know why, If you can answer this one, then it would be interesting to know how to make 1 port forwarding from the inet to an specific server of the local subnet on port, for example 8080. Thank you so much.

1 Accepted Solution

Accepted Solutions

Are you using the interface IP or a separate public IP? Also do you have the port open in your ACL?

View solution in original post

38 Replies 38

Collin Clark
VIP Alumni
VIP Alumni

You need a NAT translation,

static (inside,outside) tcp [public IP] 8080 [private IP] 8080

don't forget to add the port & protocol in your outside ACL too.

Hope that helps.

Thank you for the NAT translation hint, but I need to know why I can't access the internet with this configuration. Thanks.

Can you ping the ISP router? If yes, can you ping an internet address (4.2.2.2)?

Hello, no . . I can't ping the ISP router. That's the main problem. I think I must connect the inside iface with the external iface ???

OUTPUT:

pixfirewall# ping 213.229.178.29

213.229.178.29 NO response received -- 1000ms

213.229.178.29 NO response received -- 1000ms

213.229.178.29 NO response received -- 1000ms

pixfirewall# ping 4.2.2.2

4.2.2.2 NO response received -- 1000ms

4.2.2.2 NO response received -- 1000ms

4.2.2.2 NO response received -- 1000ms

Thanks !

EDIT: ( BOTH INTERFACES ARE UP )

Hi,

Try to access some website on the Internet and then, issue this command on the PIX, to see whether NAT is happening or not.

"show xlate"

Then do " clear xlate" and again try to access.

-------------------------------

Now suppose you want to forward connections on the Outside IP of PIX on port 8080 to the server inside(suppose 192.169.7.100) on 8080 from Internet :

static(inside,outside) tcp interface 8080 192.169.7.100 8080 netmask 255.255.255.255

access-list out-in permit tcp any interface outside eq 8080

Hi thank you for your help ! No, this is the output for the show xlate:

pixfirewall# show xlate

55 in use, 177 most used

PAT Global 213.27.252.202(1576) Local 192.169.7.240(36315)

PAT Global 213.27.252.202(1577) Local 192.169.7.240(47101)

PAT Global 213.27.252.202(1578) Local 192.169.7.240(56852)

PAT Global 213.27.252.202(1579) Local 192.169.7.4(49151)

PAT Global 213.27.252.202(1580) Local 192.169.7.240(45379)

PAT Global 213.27.252.202(1581) Local 192.169.7.240(53988)

PAT Global 213.27.252.202(1582) Local 192.169.7.1(34708)

PAT Global 213.27.252.202(1583) Local 192.169.7.240(55006)

PAT Global 213.27.252.202(1568) Local 192.169.7.240(53147)

PAT Global 213.27.252.202(1569) Local 192.169.7.4(49147)

PAT Global 213.27.252.202(1570) Local 192.169.7.240(54975)

PAT Global 213.27.252.202(1571) Local 192.169.7.4(49149)

PAT Global 213.27.252.202(1572) Local 192.169.7.240(35676)

PAT Global 213.27.252.202(1573) Local 192.169.7.240(33532)

PAT Global 213.27.252.202(1574) Local 192.169.7.4(49150)

PAT Global 213.27.252.202(1575) Local 192.169.7.240(34880)

PAT Global 213.27.252.202(1592) Local 192.169.7.240(49059)

PAT Global 213.27.252.202(1593) Local 192.169.7.4(49155)

PAT Global 213.27.252.202(1594) Local 192.169.7.240(46846)

PAT Global 213.27.252.202(1595) Local 192.169.7.4(49156)

PAT Global 213.27.252.202(1584) Local 192.169.7.4(49152)

PAT Global 213.27.252.202(1585) Local 192.169.7.240(42149)

PAT Global 213.27.252.202(1586) Local 192.169.7.1(34709)

PAT Global 213.27.252.202(1587) Local 192.169.7.4(49153)

PAT Global 213.27.252.202(1588) Local 192.169.7.240(53754)

PAT Global 213.27.252.202(1589) Local 192.169.7.4(49154)

PAT Global 213.27.252.202(1590) Local 192.169.7.1(34710)

PAT Global 213.27.252.202(1591) Local 192.169.7.240(38344)

PAT Global 213.27.252.202(1544) Local 192.169.7.4(49140)

PAT Global 213.27.252.202(1545) Local 192.169.7.4(49141)

PAT Global 213.27.252.202(1546) Local 192.169.7.240(38441)

PAT Global 213.27.252.202(1547) Local 192.169.7.240(43015)

PAT Global 213.27.252.202(1548) Local 192.169.7.240(46285)

PAT Global 213.27.252.202(1549) Local 192.169.7.240(53807)

PAT Global 213.27.252.202(1550) Local 192.169.7.240(50523)

PAT Global 213.27.252.202(1551) Local 192.169.7.240(59858)

PAT Global 213.27.252.202(1543) Local 192.169.7.1(34707)

PAT Global 213.27.252.202(1560) Local 192.169.7.240(60751)

PAT Global 213.27.252.202(1561) Local 192.169.7.240(39161)

PAT Global 213.27.252.202(1562) Local 192.169.7.4(49144)

PAT Global 213.27.252.202(1563) Local 192.169.7.240(33474)

PAT Global 213.27.252.202(1564) Local 192.169.7.240(56606)

PAT Global 213.27.252.202(1565) Local 192.169.7.240(37736)

PAT Global 213.27.252.202(1566) Local 192.169.7.4(49146)

PAT Global 213.27.252.202(1567) Local 192.169.7.240(43717)

PAT Global 213.27.252.202(1552) Local 192.169.7.4(49142)

PAT Global 213.27.252.202(1553) Local 192.169.7.240(46145)

PAT Global 213.27.252.202(1554) Local 192.169.7.240(46275)

PAT Global 213.27.252.202(1555) Local 192.169.7.240(44372)

PAT Global 213.27.252.202(1556) Local 192.169.7.240(35713)

PAT Global 213.27.252.202(1557) Local 192.169.7.240(49242)

PAT Global 213.27.252.202(1558) Local 192.169.7.240(42007)

PAT Global 213.27.252.202(1559) Local 192.169.7.4(49143)

PAT Global 213.27.252.202(1085) Local 192.169.7.2(45939)

PAT Global 213.27.252.202(1086) Local 192.169.7.240(38588)

what type of cable do you have connected from the port of the PIX to the ISP router? is it cross-over or straight through??

Also, I would clear up your PIX configuration, to be honest I would start from scratch - you can set the PIX to its factory default configuration - if your box is running version 6.2 or above.

Let us know...

is your setup like this ?

((ISP))---z---(Internet-Router)----<>--LAN

If , yes then what Jay has said could be a point... check the connectivity between the PIX and the Internet Router.

From my side the setup is like this:

LAN-------PIX-----ISP ( a router probably )

so: Inside-> 192.169.7.100

Outside-> 213.27.252.202

Default route (ispgateway)->213.229.178.29

The cable it's crossover, but I changed it to a plain one nad the results are the same.

Can you tell me how to wipe out the config ?

Thanks.

Ok... keep the cross-over cable and ask your ISP to clear the router ARP cache for you. You can reset the PIX to factory default configuration by issuing (in config mode)..

configure factory-default

After the reset - rebuild your configuration but this time with no ACLs just the basics i.e. outside IP address with correct mask address and inside ip address and correct mask plus corret default gateway to the ISP router.

We can then troubleshoot the problem further and build your PIX configuration up further.

But I am little confused as you mention 'router probably on your post' is it a router or modem??

Speak soon...

Thanks for your help ! I'm sure the ISP device it's a router. I'm at a datacenter and I'm sure there are no modem connections for the costumers. Ok right now I'm wiping the config. I'll post again some minutes later.

Thanks.

Ok, I did conf term, then configure factory-default 192.169.7.100 255.255.255.0, the process goes on but then if I do show conf the configurations remains the same. I even tryed to do it and then reboot the PIX but the configuration doesn't go away. Any comments ?

EDIT: Ok I'm sorry I only needed to do write mem to visualize the changes made. Now it's clear.

Which version is on your 506 is it above 6.2 code? Did you issue write mem??

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: