06-22-2011 10:18 PM - edited 03-11-2019 01:49 PM
Hi,
I'm having an issue on my Pix 501- ver. 6.3(5) firewall when host 192.168.1.2 accessing any website, no website is opening and when i issue command sh xlate so don't see anything and i think i must enable natting on this firewall as same as on ASA nat-control but i don't know what is the cause and why the traffic is not goes?
Kindly see below all details and give me any solution to pass inside traffic to outside.
PIX501(config)# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX501
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq www
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 110.34.33.124 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 110.34.33.125
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outbound in interface inside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 110.34.33.97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
username saeed password xAmbVBkAB7NsAEuT encrypted privilege 15
terminal width 80
Cryptochecksum:9dd55a301a22073d9ed3313b674cfbb6
: end
PIX501(config)# sh nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
PIX501(config)# sh global
global (outside) 1 110.34.33.125
PIX501(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list outbound; 1 elements
access-list outbound line 1 permit tcp 192.168.1.0 255.255.255.0 any eq www (hitcnt=0)
PIX501(config)# sh xlate
0 in use, 0 most used
06-22-2011 10:22 PM
If there is no hitcount, that means that the traffic is not even hitting the PIX firewall.
Check the host to ensure that the default gateway is correct, ip address and subnet mask is correctly configured. Also, does it have any DNS setting configured?
If you are using external DNS server, then you might want to allow DNS traffic through the PIX firewall as well.
Try to see if you can browse the internet by ip address instead of name to see where the problem is.
06-22-2011 10:27 PM
On client here is the settings.
IP: 192.168.1.2
Sub: 255.255.255.0
Gate-Way: 192.168.1.1
DNS: No dns but i applied 192.168.1.1 but still not working.
I dont have any such DNS, can i put the ISP dns?
This host can ping inside interface but unable to pass traffic from inside to outside.
Update:
============
I just enter ISP dns on the client side but still same issue.
Onething more see here.
PIX501(config)# ping 110.34.33.124
110.34.33.124 response received -- 0ms
110.34.33.124 response received -- 0ms
110.34.33.124 response received -- 0ms
PIX501(config)# ping 110.34.33.125
110.34.33.125 NO response received -- 1000ms
110.34.33.125 NO response received -- 1000ms
110.34.33.125 NO response received -- 1000ms
06-22-2011 10:40 PM
Of course you would need to DNS, and you can't use 192.168.1.1 because PIX does not act as a DNS server.
Please configre the ISP DNS server.
Just take the access-group off for now while you are still testing:
no access-group outbound in interface inside
And also, you won't be able to ping 110.34.33.125 as it's a virtual IP.
Test to see if you can ping 110.34.33.97 from the host, if you can, that means you have connectivity through the PIX.
06-22-2011 10:53 PM
Well, when putting the DNS and disabling the
no access-group outbound in interface inside
Then working fine and when again enabling above command then not working so please help me what should i do to apply the access-list. is there any issue with the access-list?
Onething more can i put my local dns server so is it work?
Onething more why Tab button is not working - i mean completing the command.
06-22-2011 11:08 PM
You would have to configure access-list to allow DNS traffic.
Please add the following for DNS:
access-list outbound permit udp 192.168.1.0 255.255.255.0 any eq 53
For any of the traffic that you would like to allow outbound, once you configure the access-group, you would need to explicitly configure each traffic to go outbound.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: