Solved: no internet access from inside network of pix 525

abdul basit · ‎12-12-2012

hey friends:

i am working on pix 525, when connected through console i can access the whole internet but when i connect the pc to the inside interface i have no access to the internet. the pc can ping the pix inside interface and from pix i can ping the pc. my configurations are shown below kindly tell me what can be the problem. my configuration is shown below. kindly help me. i am just ccna.

:

PIX Version 7.2(2)

!

hostname pix

domain-name xyz.edu.pk

enable password xxxxxxxx encrypted

names

name xxx.xxx.173.5 primary-dns

name xxx.xxx.173.6 WEB-SER-SEC-DNS

name xxx.xxx.173.4 QMAIL

name xxx.xxx.169.3 proxy-server

name xxx.xxx.148.69 dns

dns-guard

!

interface Ethernet0

nameif outside

security-level 0

ip address xxx.xxx.147.91 255.255.255.224

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

!

passwd xxxxxxxx encrypted

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server xxx.xxx.148.70

name-server xxx.xxx.156.118

name-server xxx.xxx.163.240

name-server dns

name-server 192.168.100.2

domain-name xxx.edu.pk

object-group service dns tcp-udp

description primary-dns

port-object range domain domain

port-object eq domain

access-list allow extended permit ip any any

mtu outside 1500-- More --->

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-603.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

<--- More --->access-list allow outside

nat (inside) 1 192.168.5.0 255.255.255.0

access-group allow in interface outside

access-group allow out interface outside

access-group allow in interface inside

access-group allow out interface inside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.147.65 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

username xxxx password xxxxxxxx encrypted

http server enable

http 192.168.5.2 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

telnet 192.168.5.0 255.255.255.0 inside

telnet timeout 20

ssh timeout 5

ssh version 1

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect http

inspect ils

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

pix# show nat

NAT policies on Interface outside:

match ip outside any outside any

dynamic translation to pool 1 (xxx.xxx.147.91 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

match ip outside any inside any

dynamic translation to pool 1 (No matching global)

tran = 0

NAT policies on Interface inside:

match ip inside 192.168.5.0 255.255.255.0 outside any

dynamic translation to pool 1 (xxx.xxx.147.91 [Interface PAT])

translate_hits = 545, untranslate_hits = 0

match ip inside 192.168.5.0 255.255.255.0 inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, uinside any outside any

no translation group, implicit deny

policy_hits = 387

Jouni Forss · ‎12-12-2012

Hi,

You seem to have the correct basic configurations for the firewall.

Are you testing the Internet connection from LAN by testing Web site connections or ICMP?

If you are using ICMP, add the following commands

policy-map global_policy

class inspection_default

inspect icmp

This should allow ICMP replys through the firewall (If you have tested ICMP through the firewall and it has failed)

Are you sure the hosts are configured with correct gateway address? The PIX LAN interface IP address? If they arent they can still PING with the directly connected network but not with any remote networks.

I'd also suggest removing some access-list attachements from interfaces

no access-group allow in interface outside

no access-group allow out interface outside

no access-group allow out interface inside

The above should be removed as some of them are not simply needed and some might open your LAN network to attacks (if you configure a Static NAT for public IP)

access-group allow in interface inside

At this point only the above single line is needed. Also use different access-lists for each interface to keep things separated

- Jouni

View solution in original post

Julio Carvajal · ‎12-12-2012

Hello Abdul,

The configuration looks good:

global (outside) 1 interface

nat (inside) 1 192.168.5.0 255.255.255.0

What is the ip address you have on the client PC,

ADD the following

fixup protocol icmp

and try to ping 4.2.2.2 from your PC

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

abdul basit · ‎12-12-2012

ip address of my pc is 192.168.5.2 and gateway is 192.168.5.1

Jouni Forss · ‎12-12-2012

Hi,

You seem to have the correct basic configurations for the firewall.

Are you testing the Internet connection from LAN by testing Web site connections or ICMP?

If you are using ICMP, add the following commands

policy-map global_policy

class inspection_default

inspect icmp

This should allow ICMP replys through the firewall (If you have tested ICMP through the firewall and it has failed)

Are you sure the hosts are configured with correct gateway address? The PIX LAN interface IP address? If they arent they can still PING with the directly connected network but not with any remote networks.

I'd also suggest removing some access-list attachements from interfaces

no access-group allow in interface outside

no access-group allow out interface outside

no access-group allow out interface inside

The above should be removed as some of them are not simply needed and some might open your LAN network to attacks (if you configure a Static NAT for public IP)

access-group allow in interface inside

At this point only the above single line is needed. Also use different access-lists for each interface to keep things separated

- Jouni

abdul basit · ‎12-12-2012

Thanks jouni

i will remove the access-groups you mentioned.

pc ip is 192.168.5.2

and gateway 192.168.5.1

from network connection of my pc , the message showed that no internet access , i am trying from two days but cant fix the problem

Jouni Forss · ‎12-12-2012

Hi,

I assume the PC has been configured with DNS servers also?

Can you get replies if you ping the IP address 8.8.8.8 or the one suggest above?

- Jouni

abdul basit · ‎12-12-2012

Hi jouni:

ofcourse DNS is configured on pc and i even tried to ping address directly without domain name but can't get the reply and also i can't get the reply of the next hope of my pix firewall outside address and when i connect the same pc through the other network to internet i can ping everything

Jouni Forss · ‎12-12-2012

Hi,

Did you add the "inspect icmp"? Does it show in the list if you issue the command "show run policy-map" ?

Have you tried to see through ASDM what happens to the connection?

I see you have configured the PIX so that you can access the graphical user interface from that single host IP address on LAN.

You could connect to the PIX with the ASDM GUI and monitor the connection

Go

Monitoring
Logging
View button

And see what happens when you either PING or try to access some site from the PC.

- Jouni

abdul basit · ‎12-12-2012

Thanks Jouni for your informations

i will check it tomorrow and will let you know.