PIX 515E setup problems... please help!

enpop1 · ‎07-20-2004

Hi... hopefully someone will be able to help a PIX newbie like me... here's the problem. I am moving from an ISA 2000 firewall server to a PIX 515E. Our network is on a 10.0.0.1 - 10.0.5.254 "network." I have two lines to the internet, however, which I am connecting to via a dual router... Xincom XC-DPG602. The internal IP address for this router is 192.168.1.3, and through the ISA server, I have internet access. The external IP addresses for my internet lines are through earthlink (T1) (208.29.018.xxx) and Time warner (Cable) (70.60.48.xxx). They are being load balanced through the Xincom router, which is why I went with a "dual" router such as this. I will admit, I am pretty new at configuring PIX firewalls, so I figured I'd try to use the PIX default settings (it says it is configured for small business out of the box), but it wouldn't work. When I try to change the inside or the outside interfaces though (from the terminal or from the PDM interface, I usually get errors of some kind and still nothing goes through. I have tried to read what I could from the internet, but I just can't seem to make any headway. If this makes any sense to anyone, I hope you will help me out.

Thanks!

Eric

nkhawaja · ‎07-20-2004

Hi,

Where is the NAT happening? basically these are all you need

ip address inside

ip address outside

route 0 0 outside 192.168.1.3

nat (inside) 1 0 0

global (outside) 1 interface

(For the traffic to flow from inside to outside)

enpop1 · ‎07-21-2004

Hi... thanks for your reply. I have the current configuration of the PIX listed here, but it is not working. When I try to set the inside ip address to something other than 192.168.1.1, it tells me that it conflicts with the DHCP pool, or something along those lines. Does any of this make sense? All I need to do is provide access to the internet for our inside users. I do not have a dmz as of yet or anything "special," and I do not want to use DHCP from this firewall, since I already have a dhcp server on my network. Thanks again for the help.

Switch>write term

Building configuration...

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

enable password xxxxx/xxxxxxxx/ encrypted

passwd xxxxxxxx.xxxxx encrypted

hostname pixfirewall

domain-name cathedral-prep.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

<--- More --->

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 192.168.1.3 255.255.255.255

ip address inside 192.168.1.1 255.255.255.0

no ip address intf2

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.1.0 255.255.255.0 inside

pdm location 10.0.2.0 255.255.255.0 inside

pdm location 10.0.3.0 255.255.255.0 inside

pdm location 10.0.4.0 255.255.255.0 inside

pdm location 10.0.5.2 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 10 70.60.48.238-70.60.48.248

<--- More --->

global (inside) 200 10.0.5.2

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

route inside 10.0.1.0 255.255.255.0 192.168.1.3 1

route inside 10.0.2.0 255.255.255.0 192.168.1.3 1

route inside 10.0.3.0 255.255.255.0 192.168.1.3 1

route inside 10.0.4.0 255.255.255.0 192.168.1.3 1

route inside 10.0.5.2 255.255.255.255 192.168.1.3 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.0.1.1 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

<--- More --->

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:xxxxx

: end

[OK]

pixfirewall(config)#

jmia · ‎07-21-2004

Hi,

You'll need to disable dhcp on the firewall first, to do this issue in configuration mode:

no dhcpd enable

This will stop dhcp on the firewall, you can also clear the other dhcp commands by issuing 'no' i.e. no dhcpd lease 3600 etc. Do this from CLI under config mode and save with write mem.

You can find the step-by-step setup guide here:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_book09186a008017284e.html

Look at section: Establishing Connectivity.

Let me know how you get on or require further help.

Thanks

Jay

jmia · ‎07-21-2004

Hi,

Also forgot to add this attachment for you, this explains the six basic steps required to setup a PIX. Hope it helps out.

Jay

enpop1 · ‎07-21-2004

Hi... the attachment helped me understand a bit more - thanks. I am still running into connection problems, however. I posted my now current configuration out on this thread... I would appreciate any help with looking through it and seeing if I am still missing something. I still cannot establish an internet connection through the PIX.

Thanks,

Eric

nkhawaja · ‎07-21-2004

Hi,

First clear the dhcpd parameters, the command is "clear dhcpd"

then do whatever you would like to with the IP addressing .

Thanks

Nadeem

enpop1 · ‎07-21-2004

Hi... this is what I have now for my configuration on the PIX, but for sme reason, I am still not able to get internet access through it. Can someone look at this configuation and hopefully let me know if it should work or if I am doing something wrong? Thanks again...

Eric

oh, and if you read through this, the 192.168.1.3 address is the internal "gateway" address of my router. My network basically has PCs with IP addresses ranging from 10.0.1.1 - 10.0.5.254 on it as well, if this helps.

wri term

Building configuration...

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

enable password xxxx

passwd xxxxx

hostname pixfirewall

domain-name cathedral-prep.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

<--- More --->

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 192.168.1.2 255.255.255.0

ip address inside 10.2.1.1 255.0.0.0

no ip address intf2

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 192.168.1.3 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

<--- More --->

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.0.1.1 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxx

: end

[OK]

pixfirewall(config)#

nkhawaja · ‎07-21-2004

hi,

what exactly is not running? any kind of traffic to the internet? ping wont work unless you add

access-list 100 permit icmp any any echo-rely

access-group 100 in interface outside

can you access any site via its IP? Where is your DNS? after adding the above commands I told you, can you ping the 192.168.1.3 1 from any inside PC?

IF that works, there PIX is Ok as far as the config.

enpop1 · ‎07-21-2004

Hi...

I added these lines, and though I can ping the PIX, i cannot ping through the pix to the router. I have a dhcp server on the network (10.0.0.82) and I have tried pinging through to other web sites - google.com, msn.com, etc - but it comes back as host unreachable. I tried this from four different PCs in the building. Do I have to add something to the pix for DNS?

nkhawaja · ‎07-21-2004

what lines? the acccess-list lines? if you are on the PIX, can you ping your default gateway right from there? there is nothing much left in the configs.

what does "show interface" says? are the interfaces up?