06-08-2010 12:04 AM - edited 03-11-2019 10:55 AM
Hi,
my pix515e which is running 8.0x ios unable to access internet through it. domain name server is external(ISP), on it's next hop router ip domain-name ip address is configured. could u tell me what changes i should make to my firewall to make it work.
i can ping firewall next hop ip address.
thanks in advance
HS
06-08-2010 01:15 AM
Hi HS,
Do you have Internet from the firewall itself? (are you talking about an ASA, FWSM, PIX)?
i.e Can you PING 4.2.2.2 from the firewall itself?
If you have internet from the firewall itself, we just need to check the configuration to make sure that it allows Internet.
Please let us know the above.
Federico.
06-08-2010 06:56 AM
Hi,
as i already mentioned, i am using cisco PIX 515E which is runing IOS 8.0, firewall is connected to router and my router is connected to ISP router. what configuration i should have on firewall so i can reach internet. how do i configure domain-name server's ip address
pls help me
thanks
HS
06-08-2010 07:00 AM
On a normal PIX configuration directly connected to the ISP router you need at least this:
nat (inside) 1 0 0
global (outside) 1 interface
The public IP assigned to the outside interface
A private IP assigned to the inside interface (which is going to be the default gateway for the local LAN).
route outside 0 0 x.x.x.x --> this is the PIX's default gateway (router's IP)
Assuming the local is directly connected to the PIX, you should be able to get to the Internet with the above configuration.
If you need additional information let us know.
What is the purpose of the domain-name? Do you want the PIX to assign a DNS to the internal LAN?
Federico.
06-08-2010 07:28 AM
Hi,
my pix has two interface out of which one is connected to leased line router and another is connected to internet router, if my Lan user whats to reach internet they must have dns server ip address to resole the domain name, that is my purpose of domain-name ip to configure on my firewall so Lan user can resolve domain name and get to the internet.
my Lan user can reach remote server through leased line without any problem.
thanks
HS
06-08-2010 07:32 AM
The ASA can only assing a DNS server to the LAN if its also the DHCP server. Is the ASA the DHCP server?
Federico.
06-09-2010 12:23 AM
Hi,
no i have not configured my firewall as DHCP server, find firewall configuration below to help me.
FIREWALL# show run
: Saved
:
PIX Version 8.0(3)
!
hostname FIREWALL
enable password f1/B5iV9rJ.dvsDE encrypted
names
dns-guard
!
interface Ethernet0
description P2P link
speed 100
duplex full
nameif outside1
security-level 0
ip address 172.23.15.211 255.255.255.0
!
interface Ethernet1
description LAN interface
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.10.11 255.255.255.0
!
interface Ethernet2
description Internet Gateway
speed 100
duplex full
nameif outside2
security-level 0
ip address 25.0.0.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system flash:/pix803.bin
ftp mode passive
clock timezone IST 5 30
same-security-traffic permit inter-interface
access-list icmpacl extended permit icmp any 192.168.10.0 255.255.255.0
access-list acl_inside extended permit ip 192.168.10.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
logging host inside 172.23.15.33
mtu outside1 1500
mtu inside 1500
mtu outside2 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside1) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0
access-group icmpacl in interface outside1
access-group acl_inside in interface inside
route outside1 0.0.0.0 0.0.0.0 172.23.15.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.23.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 172.23.15.0 255.255.255.0 outside1
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map icmp-class
match access-list icmpacl
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
class icmp-class
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a0d0dc337be25e49c653aeb27031f59a
: end
FIREWALL#
06-09-2010 04:16 AM
1. can you ping www.google.com and get an IP address?
2. Have you tried to load the page just with an IP address? http://74.125.87.99
3. can the firewall ping 4.2.2.2?
4. enable logging buffer and check what the syslogs say.
conf t
logging buffered 7
exit
sh logg | i 192.168.10.x
for the clients IP address that has trouble going to the internet.
-KS
06-09-2010 05:18 AM
Hi,
1. i will not get ping reply as on my isp router icmp requests are denied.
2. i tried to load page it says "page can't be displayed"
3. firewall can't ping 4.2.2.2
4.find logs below
FIREWALL# show logg | i 192.168.10.10 (logs while browsing http://74.125.87.99 )
%PIX-5-111007: Begin configuration: 192.168.10.10 reading from terminal
%PIX-5-111005: 192.168.10.10 end configuration: OK
%PIX-3-305006: portmap translation creation failed for tcp src inside:192.168.10.10/1096 dst outside2:74.125.87.99/80
%PIX-3-305006: portmap translation creation failed for tcp src inside:192.168.10.10/1096 dst outside2:74.125.87.99/80
%PIX-3-305006: portmap translation creation failed for tcp src inside:192.168.10.10/1096 dst outside2:74.125.87.99/80
%PIX-7-710005: UDP request discarded from 192.168.10.10/138 to inside:192.168.10.255/138
%PIX-7-710005: UDP request discarded from 192.168.10.10/137 to inside:192.168.10.255/137
%PIX-7-710005: UDP request discarded from 192.168.10.10/137 to inside:192.168.10.255/137
%PIX-7-710005: UDP request discarded from 192.168.10.10/137 to inside:192.168.10.255/137
FIREWALL# show logg | i 192.168.10.10 (logs while browsing google.co.in )
%PIX-3-305006: portmap translation creation failed for udp src inside:192.168.10.10/64660 dst outside2:202.95.94.1/53
%PIX-3-305006: portmap translation creation failed for udp src inside:192.168.10.10/64660 dst outside2:202.148.202.3/53
%PIX-3-305006: portmap translation creation failed for udp src inside:192.168.10.10/64660 dst outside2:202.95.94.1/53
%PIX-3-305006: portmap translation creation failed for udp src inside:192.168.10.10/64660 dst outside2:202.95.94.1/53
%PIX-3-305006: portmap translation creation failed for udp src inside:192.168.10.10/64660 dst outside2:202.148.202.3/53
%PIX-3-305006: portmap translation creation failed for udp src inside:192.168.10.10/64660 dst outside2:202.95.94.1/53
%PIX-3-305006: portmap translation creation failed for udp src inside:192.168.10.10/64660 dst outside2:202.148.202.3/53
202.95.94.1 and 202.148.202.3 are DNS server ip address
regards
HS
06-09-2010 05:33 AM
Interesting...
That syslog message means that you have a problem with the global statement.
You are the following:
global (outside1) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0
But the firewall is trying to take outside2 and failing.
Are you using outside1 to go out to the internet or outside2?
This message is talking about outside2 and you do not have a route or global statement for that interface.
You can either shut down outside2 interface or
add the following:
global (outside2) 1 interface
route outside2 0.0.0.0 0.0.0.0 x.x.x.x -----> where x.x.x.x is the next hop off of that outside2 interface.
You may have to remove the existing default route.
I would try to shut down the outside2 interface and try it.
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide