Solved: Re: No Internet From Inside

adcorbett_2 · ‎03-19-2008

Hello - I have just had to replace a dead (finally) PIX 520. Untill my company can afford it, I am using a PIX 501. The outside interface is connected to a Verizon DSL router, and the inside through a 2950 and an old 1600 series router. Problem is ever since I went to the 501, no one behind the firewall can get to the internet. I can ping internet sites from the 501 itself, but nothing from behind it. I know it must be something simple, but I can't figure it out. I am attaching the configs for the router and firewall

sundar.palaniappan · ‎03-19-2008

Try this configuration.

no global (outside) 1 XX.XX.XX.XX netmask 255.255.255.255

global (outside) 1 interface

If your xx.xx.xx.xx in the global configuration is the outside interface address then you should use the keyword interface for PAT instead of address.

HTH

Sundar

View solution in original post

anthony.baker · ‎03-19-2008

Hey,

I would start by doing a traceroute from a machine that's not able to access the internet and see where that gets stuck. That will hopefully tell you which device has the problem and narrow things down.

I'm not sure off my head what happens with that version if you have no access-list associated with the inside interface of your PIX. It might allow everything through, but I can't remember and if it were me I'd just allow everything through using the access-list/access-group commands as per what you have for the outside -- just as a test.

HTH

Anthony

adcorbett_2 · ‎03-19-2008

Hi Anthony - thats the weird part, I can ping the inside interface of the firewall from any client, but a trace to any internet IP from that same client goes nowhere, doesn't even know what its first hop is.

adcorbett_2 · ‎03-19-2008

If I do a sho xlate while I am tracing from the workstation, I see this:

PAT Global xx.xx.xx.11(2) Local 192.168.100.35 ICMP id 512

So it is reaching the firewall...it must be something on the DSL modem?

anthony.baker · ‎03-19-2008

But you said that from the FW itself you could get to external addresses no? If that's the case the routing from the FW to the DSL and out would seem to be working ok.

You have the statics and outside addresses blanked out (understandably!) - I'm presuming you have one address for the outside interface, another two that you're using in the statics and then another that you have for your global? Is that right?

Also, what do you see in the logs, anything? Look for any denies on either side, non-translations etc that might give some clue. Probably best to turn the logging to warning or debugging and watch while you try from one of those machines.

sundar.palaniappan · ‎03-19-2008

Try this configuration.

no global (outside) 1 XX.XX.XX.XX netmask 255.255.255.255

global (outside) 1 interface

If your xx.xx.xx.xx in the global configuration is the outside interface address then you should use the keyword interface for PAT instead of address.

HTH

Sundar

adcorbett_2 · ‎03-19-2008

That did it. Why would that work and not the global statement I had in there before? Thanks!!

sundar.palaniappan · ‎03-19-2008

Glad it works now. Thanks for the rating!

It's one of those things - where the OS doesn't like the address to be used when that address is assigned to the interface (outside). Instead, it expects the word 'interface' to be used in the global command for that address to be used.

HTH

Sundar