Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2432
Views
0
Helpful
4
Replies

Allow traffic through PIX 515

Go to solution
jaybird8000
Level 1
Level 1

‎12-03-2002 11:39 AM - edited ‎02-20-2020 10:24 PM

I am having trouble getting traffic through my PIX 515. I am fairly new but can't seem to get it to happen. I have several very detailed manuals and have done what I think to be all the right steps and cannot get it right. I would like permit my users on the "INSIDE" (192.168.1.1) to access the internet on the "OUTSIDE" (68.8.9.5 - fictitious).

I set NAT with the following command:

nat (inside) 1 192.168.1.0 255.255.255.0

...and GLOBAL with:

global (outside) 1 68.8.9.6-68.8.9.8

I have created what I have thought to be the correct ACCESS-LIST:

access-list web_out permit ip any host 192.168.1.0

access-list web_out permit tcp any host 192.168.1.0

I then applied the ACL's to an interface:

access-group web_out in interface outside

My client box on the inside has the following info:

IP = 192.168.1.3

SM = 255.255.255.0

Gateway = 192.168.1.1

And of course the DNS servers

My physical configuration is as follows:

CLIENT PC >>> PIX 515 >>>> INTERNET

The PIX can ping the gateway on the OUTSIDE and can ping the client on the INSIDE but I have no connectivity through the PIX. HELP!

Thanks in advance for all you expertise.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee
In response to jaybird8000

‎12-05-2002 03:38 PM

You probably don't have a default route on the PIX. The PIX needs to know where the Internet is and how to get to it, so add the following:

> route outside 0.0.0.0 0.0.0.0 x.x.x.x

where x.x.x.x is the IP address of your outside router that the PIX connects to.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎12-04-2002 06:41 PM

Are the 68.8.9.6-68.8.9.8 addresses where you're trying to go to, or what you want your inside users to be NAT'd to. If the former, that's wrong, if the latter, it's right but needs tweaking. You also don't need an access-list to go from inside to outside, so let's remove that cause it's not doing anything.

To go from inside to outside, all you need is a nat/global pair. You're nat (inside) statement is correct. Your global statement says nat all your inside hosts to only 3 addresses, not good. Once these 3 addresses are used up, then no-one else will be able to go out, and keep in mind that one user going to one web page will easily use 5-6 addresses as they create different connections.

Do the following:

nat (inside) 1 192.168.1.0 255.255.255.0

global (outside) 1 68.8.9.6

This will do PAT instead of NAT, giving you 65000-odd translations with just the one address. You then have 68.8.9.7 and 68.8.9.8 spare to use for static translations if you need them later.

As traffic goes out through the PIX, the PIX will automatically open up holes to allow that traffic back in. It only does this for TCP and UDP packets though. If you're pinging through the PIX, you do need to tell the PIX to allow that traffic back in with:

access-list inbound permit icmp any any echo-reply

access-list inbound permit icmp any any unreachable

access-group inbound in interface outside

The "unreachable" allows Path MTU Discovery to still work, and the echo-reply's allow your pings to come back in.

0 Helpful

Go to solution
jaybird8000
Level 1
Level 1
In response to gfullage

‎12-05-2002 09:52 AM

I did what you suggested and you confirmed that fact that I fully understand the concept of what is taking place but I still cannot get through. At first I thought that it might be a hardware or software problem but I bought 5 PIX501s and 1 PIX515 and they are all not letting internet traffic through from the inside. To answer your question the 68.8.9.6-68.8.9.8 are numbers that I want my inside users to be NAT'd to. I knew about the PAT which allowed more than one private ip to be routed out on various ports of one single public ip, I was reaching at anything that would allow me access out. I changed it as you recommended and still nothing there is obviously something I am missing. Do I need to implement a route command?

Do I need to implement a static command?

The gateway address for my clients (inside) should be the ip of the INSIDE interface (192.168.1.1) right?

I pulled one staight out of the box (new) and did the following before adding the commands you recommended:

ip address inside 192.168.1.1

ip address outside 68.8.9.5

What else do I need?

Thanks again for your time.

0 Helpful

Go to solution
gfullage
Cisco Employee
Cisco Employee
In response to jaybird8000

‎12-05-2002 03:38 PM

You probably don't have a default route on the PIX. The PIX needs to know where the Internet is and how to get to it, so add the following:

> route outside 0.0.0.0 0.0.0.0 x.x.x.x

where x.x.x.x is the IP address of your outside router that the PIX connects to.

0 Helpful

Go to solution
jaybird8000
Level 1
Level 1
In response to gfullage

‎12-05-2002 10:33 PM

That was it - all is well. Thanks for you help!

J

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card