Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
775
Views
0
Helpful
16
Replies

Pix 501 (or any) internet access

bwgraybwgray
Level 1
Level 1

‎01-21-2005 08:45 AM - edited ‎02-20-2020 11:53 PM

Hi Everyone,

I am trying to allow internet access to the users on the inside interface on my pix. To do so I have done a couple of things:

1) Configured a global statement with pool range

2) Configured the nat statement for all users to nat out using the global range.

From there I have to allow web traffic back in to my internal hosts. So I have tried to configure an access list:

access-list aclin permit tcp any any eq www

access-group aclin in interface outside

*This should allow web traffic in no?

I have verified all of my nat translations are functioning as they should. As well I can ping from the firewall out to the sites and back again; so I feel it's in my acl.

What am I missing here?

0 Helpful
16 Replies 16

bwgraybwgray
Level 1
Level 1
In response to dbellaze

‎01-25-2005 06:19 AM

Interesting, I should verify show conn, but I believe they are fine too; will do.

As for the ISP's is it common for them to block the routing of a range of natted addresses?

0 Helpful

dbellaze
Level 4
Level 4
In response to bwgraybwgray

‎01-25-2005 08:32 AM

Its not that they block NAT addresses. The issue depends on the situation.

For example if you connect to your ISP with a subnet that contains more than 2 available hosts (one for the PIX outside interface and one for the ISP) then configuring a NAT pool to use the unused addresses in the subnet should work. We can usually safely assume this because your PIX is able to route to the internet using its outside interface IP. If you want to further test this you can assign each address in the subnet to the outside interface and test connectivity one by one.

Then there is the scenario of having a seperate subnet for NAT or anything else for that matter. With this configuration/setup its usually that the ISP is not properly pointing the route to your PIX's outside address, or they are not pointing it to you at all.

As a side note remember that IP's you have with one ISP will not work with another ISP (for example switching ISP's) unless you actually own them and your ISP agree's to route them for you.

Daniel

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card