Conectivity problem

adampetherick · ‎11-21-2006

I'm currently setting up a PIX 515e at home as follows:

Cable Modem --> 2621 Router --> PIX --> Switch

The inside port on the PIX is up,up however I can't get the outside to connect.

Here are the config's for the interfaces:

2621:

FastEthernet0/1 is up, line protocol is down

Hardware is AmdFE, address is 0007.eb78.0ba1 (bia 0007.eb78.0ba1)

Internet address is 192.168.1.1/30

MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s, 100BaseTX/FX

ARP type: ARPA, ARP Timeout 04:00:00

PIX:

interface ethernet0 "outside" is up, line protocol is down

Hardware is i82559 ethernet, address is 0011.2013.641b

IP address 192.168.1.2, subnet mask 255.255.255.252

MTU 1500 bytes, BW 100000 Kbit full duplex

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

77 packets output, 4620 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/0)

output queue (curr/max blocks): hardware (0/1) software (0/1)

spremkumar · ‎11-21-2006

Hi Adam

Which cable you are using to connect both PIX and the router ?

Are you using cross over or a straight through cable ? Can you change the cable and check ?

regds

a.kiprawih · ‎11-21-2006

Since this only involved line protocol, check the UTP cable type you used to connect the router and PIX? It should be cross-over cable.

HTH

AK

adampetherick · ‎11-22-2006

Yeah I swapped it and it's showing up, up now, but not got any traffic passing, everything is up, up but inside can't see the www.

GB-HOMENET-PIX-01# sh run

: Saved

:

PIX Version 6.3(3)

interface ethernet0 100full

interface ethernet1 auto

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

nameif ethernet3 WAP security50

nameif ethernet4 NOT_USED4 security1

nameif ethernet5 NOT_USED5 security1

hostname GB-HOMENET-PIX-01

domain-name HOMENET

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

logging console debugging

icmp deny any outside

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu WAP 1500

mtu NOT_USED4 1500

mtu NOT_USED5 1500

ip address outside 192.168.1.2 255.255.255.252

ip address inside 172.16.10.2 255.255.255.128

ip address DMZ 172.16.10.129 255.255.255.252

ip address WAP 172.16.11.1 255.255.255.252

no ip address NOT_USED4

no ip address NOT_USED5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address DMZ

no failover ip address WAP

no failover ip address NOT_USED4

no failover ip address NOT_USED5

pdm history enable

arp timeout 14400

global (outside) 1 172.16.10.1-172.16.10.127 netmask 255.255.255.128

global (DMZ) 2 172.16.10.128-172.16.10.254 netmask 255.255.255.128

global (WAP) 3 172.16.11.2-172.16.11.127 netmask 255.255.255.128

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ) 2 0.0.0.0 0.0.0.0 0 0

nat (WAP) 3 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 172.16.10.10 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

fragment chain 1 outside

fragment chain 1 inside

telnet 172.16.10.0 255.255.255.128 inside

telnet timeout 30

ssh timeout 5

console timeout 0

terminal width 80

: end

dflick · ‎11-22-2006

2 questions:

Do you have a route on your 2600 router pointing the 172.x.x.x to the pix?

ip route 172.16.10.0 255.255.255.0 192.168.1.2

Why are you using a router at all? You should be able to plug the PIX directly into the cable modem. Set the PIX outside IP to use DHCP and nat to your external interface on the PIX.

a.kiprawih · ‎11-22-2006

I think you need to change the 'global' IP. You should use Public IP here, i.e 192.168.1.x, instead of 172.16.10.x range.

Global is always associated with Public IP when it comes to outside/Internet connectivity. But since your Public IP has 2 hosts for Internet router FastEthernet facing PIX Outside interface (192.168.1.1) and PIX Outside interface (192.168.1.2), you have no choice here but to use Outside interface IP as global.

Use 'global' command with 'keyword' interface to allow internal users/DMZ to go out to Internet.

*192.168.1.0/30 means:

subnet ID: 192.168.1.0

Usable address: 192.168.1.1 - .2

broadcast ID: 192.168.1.3

Your config:

ip address outside 192.168.1.2 255.255.255.252 ---> note this for Outside

ip address inside 172.16.10.2 255.255.255.128 --> internal subnet

ip address DMZ 172.16.10.129 255.255.255.252

ip address WAP 172.16.11.1 255.255.255.252

global (outside) 1 172.16.10.1-172.16.10.127 netmask 255.255.255.128

global (DMZ) 2 172.16.10.128-172.16.10.254 netmask 255.255.255.128

global (WAP) 3 172.16.11.2-172.16.11.127 netmask 255.255.255.128

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ) 2 0.0.0.0 0.0.0.0 0 0

nat (WAP) 3 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

Update:

- Remove the exisitng "global (outside) 1 172.16.10.1-172.16.10.127 netmask 255.255.255.128", and changed with:

global (outside) 1 interface

This should work. Just make sure both of your PIX and Internet router can ping each other.

Hope this helps. Pls rate all useful post(s)

AK

adampetherick · ‎11-23-2006

Thanks for the reply

My public facing IP is 84.x.x.x which is assigned by my ISP via DHCP.;

Have got the PIX and router pinging each other now but still no axs to the web

adampetherick · ‎11-23-2006

It's working now, thanks to dflick advising to get rid of the outside router and using ip address outside setroute.

It's a lot slower now tho than the linksys box I was using before!!