12-12-2003 09:29 AM - edited 02-20-2020 11:09 PM
Hi,
We are an ISP that has two public networks ans well and private addressing that sit behind pur Pix. All outbound from the private networks works as expected. However, any server on the public networks can not be reached, and any DSL customer with a public IP can't get out to the internet. A.B.C and X.Y are the two public nets. There is a 7200 series that sits inside of the Pix.
I have posted the config to see if you can find any errors.
Thanks!
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
hostname xxxxxxxxxx
domain-name xxxxxxxxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list public_net permit ip x.y.41.0 255.255.255.0 any
access-list public_net permit ip a.b.c.0 255.255.255.0 any
access-list acl_out permit udp any host a.b.c.2 eq domain
access-list acl_out permit tcp any host a.b.c.3 eq smtp
access-list acl_out permit udp any host a.b.c.4 eq domain
access-list acl_out permit icmp any host a.b.c.72 echo-reply
access-list acl_out permit icmp any host x.y.41.254 echo-reply
access-list acl_out permit icmp any host x.y.41.182 echo-reply
access-list acl_out permit icmp any host x.y.41.195 echo-reply
access-list acl_out permit tcp any host x.y.41.3 eq www
access-list acl_out permit icmp host x.y.41.182 any echo
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.230 255.255.255.0
ip address inside 10.100.0.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside x.x.x.231
failover ip address inside 10.100.0.3
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list public_net
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
static (inside,outside) a.b.c.2 a.b.c.2 netmask 255.255.255.255 0 0
static (inside,outside) a.b.c.4 a.b.c.4 netmask 255.255.255.255 0 0
static (inside,outside) a.b.c.72 a.b.c.72 netmask 255.255.255.255 0 0
static (inside,outside) x.y.41.254 x.y.41.254 netmask 255.255.255.255 0 0
static (inside,outside) x.y.41.182 x.y.41.182 netmask 255.255.255.255 0 0
static (inside,outside) x.y.41.195 x.y.41.195 netmask 255.255.255.255 0 0
static (inside,outside) x.y.41.3 x.y.41.3 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 255.255.255.255 x.x.x.1 1
route inside 10.0.0.0 255.0.0.0 10.100.0.1 1
route inside x.y.41.0 255.255.255.0 x.y.41.1 1
route inside a.b.c.0 255.255.255.0 a.b.c.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
12-14-2003 04:15 PM
These are your problem:
route inside x.y.41.0 255.255.255.0 x.y.41.1 1
route inside a.b.c.0 255.255.255.0 a.b.c.1 1
The PIX (or any IP device) can't have a route pointing to a network where the next hop is not on the connected interface subnet. The next hop needs to be in the inside interfaces subnet (10.100.0.0/24).
If you get to these networks through the same inside gateway as the rest of the 10 network, then change the above lines to:
route inside x.y.41.0 255.255.255.0 10.100.0.1 1
route inside a.b.c.0 255.255.255.0 10.100.0.1 1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide