I agree with Peter that the most probable cause is that you are missing a default route on the PIX. It should point to your default gateway (next hop router) on the outside interface.

Peter,

I tried what you suggested. Still no go. Below are 2 listings of the PIX config.

This version fails w/ a statically defined IP on the outside.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password **** encrypted

passwd ***** encrypted

hostname pixfirewall

domain-name OFFICE.LOCAL

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 192.168.1.8 255.255.255.0

ip address inside 10.0.0.5 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.10.1.1 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.0.0.0 255.0.0.0 inside

http 10.10.1.1 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:xxxxxxx

: end

[OK]

This Version Works with DHCP on outside port.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password **** encrypted

passwd **** encrypted

hostname pixfirewall

domain-name GMOFFICE.LOCAL

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.0.0.5 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.10.1.1 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.0.0.0 255.0.0.0 inside

http 10.10.1.1 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:xxxxx

: end

[OK]

Any suggestions would be appreciated.

Thanks in advance

George

You are still missing the default route. Try adding the following using the PIX CLI:

pixfirewall(config)# route outside 0.0.0.0 0.0.0.0

Where next_hop_ip is the ip address of your default gateway (provider's router). Do a clear xlate and then try again.

Hi George -

As the other poster mentioned, it looks like the default route is missing. To enter in the command suggested in the other post, type conf t from the same location you typed show .

Add the statement the other poster mentioned route outside 0.0.0.0 0.0.0.0

Substitute the address on the 192.168.1.0 network that is your default gateway for the . The gateway is likely to be 192.168.1.1.

Let us know how it goes.

thanks

peter

Thanks for your responses.

I got some information from the building router:

WAN IP: 64.x.x.74

Gateway IP: 64.x.x.209

DNS: 64.x.x.5

Seondary DNS: 64.x.x.6

I used both CLI and the Conf t commands and entered the following:

route outside 0.0.0.0 0.0.0.0 64.x.x.209

also did

route outside 0.0.0.0 0.0.0.0 192.168.1.1

Still a no go. I saved to the PIX and then shut down the pix and rebooted the pix. No Go. Went back to DHCP in order to post again.

Here are the commands from your DHCP config:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

interface ethernet0 auto

interface ethernet1 auto

ip address outside dhcp setroute <---- NEEDS to Change

ip address inside 10.0.0.5 255.0.0.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

http server enable

http 10.0.0.0 255.0.0.0 inside

http 10.10.1.1 255.255.255.255 inside

Notice, the only line that needs changing is the IP Address line.

So you need to do the following commands:

route outside 0.0.0.0 0.0.0.0 64.x.x.209

ip address outside 64.x.x.74 255.255.255.0

If you need to Pix to provide DHCP to your PCs on your network, then we need to adjust the DHCP Server commands on the Pix, which I do not see on your firewall currently.

So maybe the best thing to do is to review some of the show commands from the Pix with the DHCP config.

Please post us an output of "show ip", "show int", "show route", "show global", "show nat", "show dhcpd" and also the output of "ipconfig /all" from one of the PCs on your network.

thanks!

peter

Below are the requested 'show' command outputs.

show ip

System IP Addresses:

ip address outside 192.168.1.103 255.255.255.0

ip address inside 10.0.0.5 255.0.0.0

Current IP Addresses:

ip address outside 192.168.1.103 255.255.255.0

ip address inside 10.0.0.5 255.0.0.0

show int

interface ethernet0 "outside" is up, line protocol is up

Hardware is i82559 ethernet, address is 000a.8aad.1a2d

IP address 192.168.1.103, subnet mask 255.255.255.0

MTU 1500 bytes, BW 10000 Kbit full duplex

93293 packets input, 27240472 bytes, 0 no buffer

Received 39457 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

128202 packets output, 11799017 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/7)

output queue (curr/max blocks): hardware (0/25) software (0/2)

interface ethernet1 "inside" is up, line protocol is up

Hardware is i82559 ethernet, address is 000a.8aad.1a2e

IP address 10.0.0.5, subnet mask 255.0.0.0

MTU 1500 bytes, BW 10000 Kbit full duplex

143600 packets input, 13053926 bytes, 0 no buffer

Received 2652 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

57074 packets output, 25527741 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/27)

output queue (curr/max blocks): hardware (0/42) software (0/42)

show route

outside 0.0.0.0 0.0.0.0 192.168.1.2 1 DHCP static

inside 10.0.0.0 255.0.0.0 10.0.0.5 1 CONNECT static

outside 192.168.1.0 255.255.255.0 192.168.1.103 1 CONNECT static

show global

global (outside) 1 interface

show nat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

show dhcpd

nothing came up.

C:\>ipconfig /all

Windows 2000 IP Configuration

Host Name : computer name

Primary DNS Suffix : gmoffice.local

Node Type : Hybrid

IP Routing Enabled : No

WINS Proxy Enabled : No

DNS Suffix Search List : gmoffice.local

Ethernet adapter Local Area Connection

Connection-specific DNS Suffix :

Description : Intel PCI Ethernet adpater 10/100

Physical address : xx-xx-xx-xx-xx-xx

DHCP Enabled : Yes

Autoconfiguration enabled : Yes

IP address : 10.x.x.10

Subnet mask : 255.0.0.0

Default Gateway : 10.0.0.5

DNS Servers : 64.x.x.5

10.x.x.1

64.x.x.6

Lease obtained : Monday, October 11, 2004 14:12:43 pm

Your default route entry MUST be on the same subnet as the outside of your pix (192.168.1.x). If the router interface you are connecting to is on a different subnet (your router info doesn't show Lan ip) then re-address your pix interface.

P.S. You are double nat-ing, once at the pix and again at the router. You may have problems with some applications through this configuration. It may be better to do a "Nat 0" config, but that is a whole nother discussion.

Thanks for the info.

What you sent confirms one of the possible causes of the problem you are experiencing.

You current outside IP Address received via DHCP is:

192.168.1.103

If you make the change to the static address provided by your ISP, you may need to inform your ISP so they can make a change on their side. What I mean here is that the current IP address and the new IP addess are not on the same network. Because of this, changes may be required on their equipment to move you to your new network. This is assuming you are using the same ethernet cable for the new address that you are using for your current address.

I am about 85% certain that changes are required on their end. You've done everything correct on your end to make your side work. There's a small chance that no further change is needed on their side, but you should contact your ISP and ask.

thanks for your patience as we looked through this.

Let us know what they say.

thanks

peter

According to your show statements above. When configured via dhcp your default gateway is 192.168.1.2. As others have mentioned, when you change your outside interface to be static, you need to add a default route. Below is the command you'll need to enter.

route outside 0.0.0.0 0.0.0.0 192.168.1.2