yep which was achieved with the other commands i told you to add in.

Can you post your updated config as it appears now?

Hey I actually entered in one of the commands wrong that you gave me, I corrected it any am now able to ping google's IP. I am still having a DNS issue though, I cannot ping www.google.com, just the IP. Also here is my updated config... and suggestions for security?

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list inbound permit icmp any any

access-list inbound permit tcp any host 78.xxx.xxx.15 eq www

access-list inbound permit tcp any host 78.xxx.xxx.15 eq domain

access-list inbound permit udp any host 78.xxx.xxx.15 eq domain

access-list inbound permit tcp any host 78.xxx.xxx.15 eq pptp

access-list inbound permit tcp any host 78.xxx.xxx.14 eq pptp

access-list outbound permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 78.xxx.xxx.16 255.255.255.248

ip address inside 10.xxx.xxx.81 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.85 netmask 255.255.255.255 0 0

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 78.xxx.xxx.18 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

: end

Thanks again 2040!

ok you need to apply the outbound access list to the inside interface:

access-group outbound in interface inside

Also where are your DNS servers? Are you running DNS on your internal servers, or you have your internal clients\servers all pointing to your external DNS servers?

Let me know which one and I'll tell you the rules to add in to allow the DNS traffic. Also what access do you want internal servers\clients to have to the internet - or is it purely to allow external clients to access web services and pptp on the internal servers?

Cheers,

MM

Okay the DNS servers are currently external, but once everything is configured I will be running them on the internal servers. As far as access is concern, I would like everything to be as secure as possible, the internal servers must be able to access the internet, infact I really have no need to restrict anything on them. Outside should only be able to view the web data on the servers. I have the pptp ports open to configure the servers remotely.

Thanks!

ok so probably just best to add in:

access-list outbound permit ip 10.0.0.0 0.255.255.255 any

You already have the inbound access list setup correctly so that should be about it.

So once you add in that permit any command try DNS resolution again - if it's not working check you have the correct DNS servers setup and try pinging them.

If they are setup correctly and you can ping them - then add a deny ip any any log to the end of each access list and set logging to 7 and monitor the output on the console as you are doing nslookups and see if anything is being blocked

Cheers,

MM

P.S don't forget to rate the responses ;)

Ok so I entered the access list in, and was able to ping the DNS servers, but I am still not able to ping www.google.com or bring up a website. I set the logging monitor to 7 and tried to open a website, but when I went to view the logging it says '0 messages logged'... any idea?

Thanks!

sorry to be a pain but can you post in the config as it looks now :)

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list inbound permit icmp any any

access-list inbound permit tcp any host 78.xxx.xxx.15 eq www

access-list inbound permit tcp any host 78.xxx.xxx.15 eq domain

access-list inbound permit udp any host 78.xxx.xxx.15 eq domain

access-list inbound permit tcp any host 78.xxx.xxx.15 eq pptp

access-list inbound permit tcp any host 78.xxx.xxx.14 eq pptp

access-list outbound permit icmp any any

access-list outbound permit ip host 10.0.0.0 any

access-list out deny ip any any log

access-list in deny ip any any log

pager lines 24

logging on

logging monitor debugging

mtu outside 1500

mtu inside 1500

ip address outside 78.xxx.xxx.16 255.255.255.248

ip address inside 10.xxx.xxx.81 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.85 netmask 255.255.255.255 0 0

access-group outbound in interface outside

route outside 0.0.0.0 0.0.0.0 78.xxx.xxx.18 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

: end

ok do this:

1. Remove these lines:

access-list out deny ip any any log

access-list in deny ip any any log

access-list outbound permit ip host 10.0.0.0 any

2. add these lines:

access-list outbound permit ip 10.0.0.0 255.0.0.0 any

access-list outbound deny ip any any log

access-list inbound deny ip any any log

access-group inbound in interface inside

3. Also are you sure your subnet mask for the external interface is correct? Because .16 address is the network address for the range .16 to .23 with .17 to .22 being usable.

The IP you have setup with .15 is actually the broadcast address of the subnet below .16, and .14 is the last usable in that subnet range.

Who assigned the IP addresses for you and what range and other details did they give to you?

Cheers,

MM

Yes they are correct, I changed the external addresses because I'm posting on a public forum. The subnets are correct, just not the IPs.

I entered the updates, and I'm still getting the same thing. '0 messages logged' and I'm still at the same point with the DNS.

Here is the updates config...

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list inbound permit icmp any any

access-list inbound permit tcp any host 78.xxx.xxx.15 eq www

access-list inbound permit tcp any host 78.xxx.xxx.15 eq domain

access-list inbound permit udp any host 78.xxx.xxx.15 eq domain

access-list inbound permit tcp any host 78.xxx.xxx.15 eq pptp

access-list inbound permit tcp any host 78.xxx.xxx.14 eq pptp

access-list inbound deny ip any any log

access-list outbound permit icmp any any

access-list outbound permit ip 10.0.0.0 255.0.0.0 any

access-list outbound deny ip any any log

pager lines 24

logging on

logging monitor debugging

mtu outside 1500

mtu inside 1500

ip address outside 78.xxx.xxx.16 255.255.255.248

ip address inside 10.xxx.xxx.81 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.85 netmask 255.255.255.255 0 0

access-group outbound in interface outside

access-group inbound in interface inside

route outside 0.0.0.0 0.0.0.0 78.xxx.xxx.18 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

: end

Thanks again!

ok you have these around the wrong way:

access-group outbound in interface outside

access-group inbound in interface inside

Remove them and add them as:

access-group outbound in interface inside

access-group inbound in interface outside

Okay that didn't work. Here is exactly what I'm entering into the PIX, maybe this will help:

hostname xxxxxxxxxx

ena password xxxxxxxxxxxxx

password xxxxxxxxxxxx

ip address outside 78.xxx.xxx.16 255.255.255.248

ip address inside 10.xxx.xxx.81 255.0.0.0

route outside 0.0.0.0 0.0.0.0 78.xxx.xxx.18

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.85 netmask 255.255.255.255 0 0

access-list inbound permit icmp any any

access-list outbound permit icmp any any

access-list inbound permit tcp any host 78.xxx.xxx.15 eq www

access-list inbound permit tcp any host 78.xxx.xxx.15 eq 53

access-list inbound permit udp any host 78.xxx.xxx.15 eq 53

access-list inbound permit tcp any host 78.xxx.xxx.15 eq 1723

access-list inbound permit tcp any host 78.xxx.xxx.14 eq 1723

access-group outbound in interface inside

access-group inbound in interface outside

access-list outbound permit ip 10.0.0.0 255.0.0.0 any

access-list outbound deny ip any any log

access-list inbound deny ip any any log

access-group inbound in interface inside

logging on

logging monitor 7

Thanks mightymouse !

you've got the access-group inbound stated again down the bottom to the wrong interface again.

Save the config (wr mem) and have a look at it on the pix - does it come up with:

access-group outbound in interface inside

access-group inbound in interface outside

The best way to edit in bulk is to save the config on the device then copy it to a tftp server (copy start tftp) edit the config file in notepad (word wrap turned off), save it and then copy it back to the startup-config on the pix via tftp (copy tftp start) and restart the pix.

Cheers,

MM

Okay well I'm at a loss... I'll keep looking around to see what I can find, but I'm still in the same situation. Thanks for getting me to where I'm at!