Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
622
Views
0
Helpful
6
Replies

Setting Up PIX 506E

pbassociates
Level 1
Level 1

‎06-16-2005 11:06 PM - edited ‎02-21-2020 12:12 AM

I have tried in vain to set this firewall up right so that i can get on the internet but have so far failed. It is replacing an old Symantec Firewall which had the settings i thought i would need in. I have put the settings into this firewall but i am having no luck at all getting it to work. Basically i have a set IP address from my ISP and therefore have an ip address, subnet mask and gateway to put in instead of using DHCP or PPPoE for the 'outside'. Also the 'inside' address is static as i have set IP addresses on the network. There are also DNS addresses i have put in even though DHCP is off.

I also do not translate any addresses using NAT or PAT. I have tried many things to get it working but so far to no avail. The only thing i have seen that might be wrong is the Static Route in Routing which has an IP and Subnet Mask of 0.0.0.0 but the gateway address i have assigned to it. Should the IP and Subnet Mask be the ones i set before and if so how do i get them in as i have tried and it told me the Mask was not valid?

Anybody any ideas on that or any other way of getting it working?

0 Helpful
6 Replies 6

jmia
Level 7
Level 7

‎06-17-2005 12:04 AM

What is you network topology, is it:

LAN--SWITCH--PIX--INTERNET ROUTER/MODEM?

Can you post your PIX config, take out any sensitive information.

Thanks,

Jay

0 Helpful

pbassociates
Level 1
Level 1
In response to jmia

‎06-17-2005 12:18 AM

It is LAN--Switch--PIX--Router.

The config put in in the wizard is as follows:

Pix Host Name: pixfirewall

domain:ciscopix.com

Outside Interface Config:

Speed: Auto

Static IP Address:x.x.x.105

Subnet Mask: 255.255.255.252

Gateway: x.x.x.106

VPN and AutoUpdates are disabled

Other Interface Config:

'Inside' ip address 192.168.1.1

Subnet mask 255.255.255.0

(This is static)

NAT/PAT config:

Do not translate any addresses

DHCP:

Disabled but there are DNS addresses in the configuration as i was given some by the ISP.

As i say this is just the stuff out of the wizard so if you want anything more detailed or there is a way of uploading the settings from the PDM to this post then just ask.

0 Helpful

jmia
Level 7
Level 7
In response to pbassociates

‎06-17-2005 12:33 AM

Does this help:

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxx

passwd xxxxxx encrypted

hostname

domain-name

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.105 255.255.255.252

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 x.x.x.106 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

console timeout 0

terminal width 80

Jay

0 Helpful

pbassociates
Level 1
Level 1
In response to jmia

‎06-17-2005 12:55 AM

Here is what comes out of mine (just worked out how to do it) not much difference but there is the odd one or two things. Anything obvious to you?

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxx encrypted

passwd xxxxxxx encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.105 255.255.255.252

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.0 255.255.255.0 inside

pdm location 125.0.0.0 255.255.0.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 x.x.x.106 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 inside

http 125.0.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns x.x.x.134 x.x.x.135

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:xxxx

0 Helpful

jmia
Level 7
Level 7
In response to pbassociates

‎06-17-2005 02:07 AM

Change this: (in config mode via CLI)

global (outside) 10 interface

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

to this:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

make sure to save with: write mem and also issue: clear xlate

Are you using the PIX for DHCP? If not then you can clear this by issuing (in config mode):

clear dhcpd

save with write mem

Let me know how you get on.

Jay

0 Helpful

pbassociates
Level 1
Level 1
In response to jmia

‎06-17-2005 03:03 AM

I tried your commands but it kept saying that range already exists. I have also tried something out of the Cisco manual which although i still can't get on the internet i can now Telnet to my router which i couldn't do before. The command i put in from Cisco was 'nat (inside) 0 x.x.x.105 255.255.255.252' although it said it couldn't do x.x.x.105 so it put x.x.x.104. Seems strange i can now access my router but not the internet.

Below is the update config file:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxx encrypted

passwd xxxxxxx encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.105 255.255.255.252

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.0 255.255.255.0 inside

pdm location 125.0.0.0 255.255.0.0 inside

pdm location x.x.x.104 255.255.255.252 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 x.x.x.104 255.255.255.252 0 0

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 x.x.x.106 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 125.0.0.0 255.255.0.0 inside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxxx

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card