09-11-2010 12:20 AM - edited 03-11-2019 11:38 AM
I am installing PIX 515e through the PDM.
Looks like I have entered all the required information correctly but still not able to access the internet.
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password XJX9T/MNG54uoaTm encrypted
passwd XJX9T/MNG54uoaTm encrypted
hostname PIX
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside dhcp setroute
ip address inside 10.0.1.2 255.255.255.0
ip address dmz 172.16.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 192.168.100.100
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route dmz 192.168.42.0 255.255.255.0 192.168.1.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.1.100-10.0.1.108 inside
dhcpd dns 205.171.3.25 192.168.100.1
dhcpd wins 209.165.201.5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain sbssrv.com
dhcpd enable inside
terminal width 80
banner login Enter your password to log in
With all the configurations done I am still not able to browse the internet.
What rules do I need to set on the firewall box?
Could someone help me?
Regards
Mark
Solved! Go to Solution.
09-11-2010 12:00 PM
Hello,
Can you ping the 192.168.100.1 from your internal clients? Please put the
following two lines in the configuration and see if it makes any difference:
access-list outside_access_in permit icmp any any echo-reply
access-group outside_access_in in interface outside
Once you put the above lines in the configuration and removed the line I had
suggested earlier, try pinging 192.168.100.1 from your inside LAN
(10.x.x.x). If the ping is successful, then the issue could be at your DSL
modem configuration. If you are not able to ping the 192.168.100.1 from
inside LAN, then try to ping that IP from the firewall itself. That should
tell us what is going on.
Regards,
NT
09-11-2010 12:39 AM
Hello,
Please remove the following line from your configuration:
global (outside) 1 192.168.100.100
Also, I do not see a route to 192.168.100.0 network on the firewall. Please
include a route.
route inside 192.168.100.0 255.255.255.0 "next hop IP"
That should fix the issue.
Regards,
NT
09-11-2010 10:48 AM
I tried adding this route inside 192.168.100.0 255.255.255.0 174.21.215.27 but recieved a message that the Route already exists
Problem not resolved
thanks for the help
09-11-2010 10:51 AM
Hello,
Can you post the output of "show route" command?
Regards,
NT
09-11-2010 11:12 AM
Here is the show route and the show Ip out put
PIX(config)# sho route
outside 0.0.0.0 0.0.0.0 192.168.100.1 1 DHCP static
inside 10.0.1.0 255.255.255.0 10.0.1.2 1 CONNECT static
dmz 172.16.2.0 255.255.255.0 172.16.2.1 1 CONNECT static
dmz 192.168.42.0 255.255.255.0 192.168.1.5 1 OTHER static
outside 192.168.100.0 255.255.255.0 192.168.100.4 1 CONNECT static
PIX(config)# sho ip
System IP Addresses:
ip address outside 192.168.100.4 255.255.255.0
ip address inside 10.0.1.2 255.255.255.0
ip address dmz 172.16.2.1 255.255.255.0
Current IP Addresses:
ip address outside 192.168.100.4 255.255.255.0
ip address inside 10.0.1.2 255.255.255.0
ip address dmz 172.16.2.1 255.255.255.0
thank you for your help
09-11-2010 11:25 AM
Hello,
Thanks for the outputs. Do you have another device that is doing NAT from
private address to public address? The firewall configuration looks correct.
Can you please tell us what is the next hop device?
Regards,
NT
09-11-2010 11:32 AM
Do you have another device that is doing NAT from private address to public address?
No I don't have NAT on the DMZ i thought I would fix the DMZ once I fix this problem.
Can you please tell us what is the next hop device is a Qwest Actio0ntec DSL Modem with a ip of 174.21.215.27
thanks
Mark
09-11-2010 11:36 AM
Hello,
Is the DSL modem in the routed mode? Is it providing the DHCP address to
your firewall? Can you configure the DSL modem such that it passes on the
public IP it got on the DSL side to the ASA?
Regards,
NT
09-11-2010 11:53 AM
Is the DSL modem in the routed mode? Yes it is in routed mode the gateway ip address is 63.210.10.242. Is it providing the DHCP address to
your firewall? Yes it is providing DHCP to the firewall ip address 192.168.100.4. Can you configure the DSL modem such that it passes on the
public IP it got on the DSL side to the ASA? no i don't think so.
09-11-2010 12:00 PM
Hello,
Can you ping the 192.168.100.1 from your internal clients? Please put the
following two lines in the configuration and see if it makes any difference:
access-list outside_access_in permit icmp any any echo-reply
access-group outside_access_in in interface outside
Once you put the above lines in the configuration and removed the line I had
suggested earlier, try pinging 192.168.100.1 from your inside LAN
(10.x.x.x). If the ping is successful, then the issue could be at your DSL
modem configuration. If you are not able to ping the 192.168.100.1 from
inside LAN, then try to ping that IP from the firewall itself. That should
tell us what is going on.
Regards,
NT
09-11-2010 12:20 PM
NT by adding the two line you just gave me made the firewall
work so this half of the problem is fixed.
I well start a new post for the DMZ problem.
thank you for all your help
Mark
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide