07-22-2012 01:39 PM - edited 03-11-2019 04:33 PM
Hi,
I know this is an old firewall but its just a simple firewall I need, my question is this.
I am not getting any internet with my current config, see below:
show conf
: Saved
: Written by enable_15 at 00:52:17.182 UTC Fri Jul 20 2012
PIX Version 6.3(5)
interface ethernet0 auto shutdown
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password PVSASRJovmamnVkD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname bmi-501-fw-1
domain-name buildmeit.internal
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list allow_ping permit icmp any any echo-reply
access-list allow_ping permit icmp any any source-quench
access-list allow_ping permit icmp any any unreachable
access-list allow_ping permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 78.XX.XXX.XXX 255.255.240.0
ip address inside 10.52.100.123 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 101 0.0.0.0 0.0.0.0 0 0
access-group allow_ping in interface outside
access-group allow_ping in interface inside
route inside 10.52.0.0 255.255.0.0 10.52.100.123 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.52.10.0 255.255.255.0 inside
http 10.52.66.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:f8f18bf2b944dddfaf3d83e6c1e1c57c
bmi-501-fw-1#
What am I missing, if I try and ping 8.8.8.8 it times out, any suggestions?
07-22-2012 03:02 PM
There are a couple of things wrong with that setup:
1) I don't remember the old syntax exactly but I think your Ethernet0 is shutdown.
2) Your NAT is broken. Add the following line:
global (outside) 101 interface
3) Your ACL doesn't allow the needed traffic. Change it the following way:
access-list INSIDE-IN permit udp any any eq 53
access-list INSIDE-IN permit tcp any any eq 80
access-list INSIDE-IN permit tcp any any eq 21
access-list INSIDE-IN permit icmp any any echo
access-group INSIDE-IN in interface inside
With that ACL you can make DNS, HTTP, FTP and also ping to the outside. If you need more, just add more lines with the needed ports.
4) Source-quench is nothing that should be allowed anywhere:
no access-list allow_ping permit icmp any any source-quench
and last but not least:
5) The PIX 501 is unsupported since many years. Devices like that shouldn't be connected to the internet any more ...
07-22-2012 03:33 PM
Hi, Thanks for the reply, I've managed to sort it now with the following config below:
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname bmi-501-fw-1
domain-name buildmeit.internal
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list PERMIT_IN deny tcp any any
access-list PERMIT_IN deny ip any any
access-list PERMIT_IN deny udp any any
access-list PERMIT_OUT permit tcp any any
access-list PERMIT_OUT permit ip any any
access-list PERMIT_OUT permit udp any any
access-list PERMIT_OUT permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside XXX.XX.XXX.XXX 255.255.240.0
ip address inside 10.52.100.123 255.255.255.0
global (outside) 1 interface
outside interface address added to PAT pool
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group PERMIT_IN in interface outside
access-group PERMIT_OUT in interface inside
route outside 0.0.0.0 0.0.0.0 XX.XX.XXX.1 1
route inside 10.52.0.0 255.255.0.0 10.52.100.123 1
wr mem
Regards to point 5 where you say devices like this shouldnt be used, I know its an unsupported device but what other reasons should I not be using it, its a good\simple firewall - i'd rather use this than say...........a horrible netgear!
07-23-2012 12:53 AM
For the last point you just should keep in mind, that the software probably has a couple of security-related bugs that won't get fixed any more. For your very simplistic firewall they are perhaps not relevant, but just don't forget it when you try to do more with it.
For your PERMIT-OUT ACL, you don't need tcp, udp and icmp if you allow IP. IP includes all these protocols. The PERMIT-IN ACL is not really needed in your scenario as traffic from a lower security level to a higher level is denied by default.
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide