05-22-2003 10:51 AM - edited 02-20-2020 10:45 PM
--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
This is the config.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXX encrypted
passwd XXXXXXXXX encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside nnn.nn.nnn.199 255.255.255.19
ip address inside 192.168.121.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 nnn.nn.nnn.230-nnn.nn.nnn.232 netmask 255.255.255.19
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 nnn.nn.nnn.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp identity address
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:
: end
05-22-2003 11:45 AM
Your subnet mask on your outside interface and global pool is wrong. 255.255.255.19 is not an acceptible mask.
Even if you meant 255.255.255.192, it won't work because your route outside statement doesn't point to a host in the same subnet as the external interface.
Is 210.44.136.1 your route to the internet? Do you have the full class C of 210.44.136.0 ? If so, 255.255.255.0 is the subnet mask you should use
05-27-2003 08:13 AM
Hi:
When you say not working - what is not working?
I don't see a problem with your configuration. When you say it is not working, is it that the internal users are not able to connect to the Internet (outside)?
It could be as simple as this: your inside interface is x.x.x.2 , usually it is set as x.x.x.1 - so either you have one more device with x.x.x.1 and hence the issue is not with the PIX at all OR simply it is a type and hence change this inside IP to x.x.x.1 or change the default gateway on the inside hosts to x.x.x.2
hope this helps
Best regards / Sampath.
05-27-2003 09:49 AM
There is no route statement for return traffic. You have to give
route inside command so that the outside traffic can reach your inside network (only allowed).
-Deepu
05-27-2003 10:38 AM
Hi:
1. Not true. If the traffic is only originatting from the inside to the outside, then only a route outside statement would suffice
2. If you are using the PIX as a DHCP client to 'pick-up' a dynamic IP address on the outside interface (such as when the PIX connecting to a cable-modem), you don't even need an explicit route outside statement; instead you could just say:
ip address outside dhcp setroute
Hope this clarifies.
Best regards / Sampath.
02-06-2004 03:22 PM
PIX cannot do routing by default. It needs to be told where to send the packets & from what interface.Your internal network 192.168.121.0/24 needs to be specified using the route inside statement in your config.
02-06-2004 06:51 PM
Actually the PIX "WILL" route to every subnet it is apart of (just like a router). You may not see it in the config but if you issue the command show route, you will see it as connected vice static. Also, to the person who posted this, you must give us more information on what your problem is. Do you have zero connectivity through the PIX? If so, I see you didnt post the top lines of the config. By default, the interfaces of a PIX are shutdown, you must issue the interface ethernet0 auto (or whatever the interface is and speed/duplex you want) to "unshut" the interface. If you have some connectivity, let us know what the deal is. Can you surf web? What kind of connection do you have out? A static IP through an ISP or is this a home cable/dsl connection that provides you DHCP? Can you ping from the pix to inside and pix to outside? We need more info to help you out.
02-06-2004 07:46 PM
The documentation clearly says that the PIX is NOT a router.
It is not routing to send a packet to a connected interface. Any host will do that.
The mask on the outside interface and the global statement that references it is bad. Other than that please describe the problem
02-07-2004 10:23 PM
You are correct in saying the PIX is not a router. But by specifying an ip address on the inside, and an IP address on the outside, you do not need to add the "Route" command to get packets from outside to in. The PIX will do this on its own. I have about 6 PIX's doing this now. And I think the mask provided in the config above is a typo. I dont believe the PIX will accept this argument.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide