cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

582
Views
0
Helpful
5
Replies
saeedccie
Beginner

Urgent! Natting Issue on Pix 501

Hi,

I'm having an issue on my Pix 501- ver. 6.3(5) firewall when host 192.168.1.2 accessing any website, no website is opening and when i issue command sh xlate so don't see anything and i think i must enable natting on this firewall as same as on ASA nat-control but i don't know what is the cause and why the traffic is not goes?

Kindly see below all details and give me any solution to pass inside traffic to outside.

PIX501(config)# sh run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIX501

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq www

pager lines 24

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 110.34.33.124 255.255.255.224

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 110.34.33.125

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outbound in interface inside

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 110.34.33.97 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

username saeed password xAmbVBkAB7NsAEuT encrypted privilege 15

terminal width 80

Cryptochecksum:9dd55a301a22073d9ed3313b674cfbb6

: end

PIX501(config)# sh nat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

PIX501(config)# sh global

global (outside) 1 110.34.33.125

PIX501(config)# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

            alert-interval 300

access-list outbound; 1 elements

access-list outbound line 1 permit tcp 192.168.1.0 255.255.255.0 any eq www (hitcnt=0)

PIX501(config)# sh xlate

0 in use, 0 most used

5 REPLIES 5
Jennifer Halim
Cisco Employee

If there is no hitcount, that means that the traffic is not even hitting the PIX firewall.

Check the host to ensure that the default gateway is correct, ip address and subnet mask is correctly configured. Also, does it have any DNS setting configured?

If you are using external DNS server, then you might want to allow DNS traffic through the PIX firewall as well.

Try to see if you can browse the internet by ip address instead of name to see where the problem is.

On client here is the settings.

IP: 192.168.1.2

Sub: 255.255.255.0

Gate-Way: 192.168.1.1

DNS: No dns but i applied 192.168.1.1 but still not working.

I dont have any such DNS, can i put the ISP dns?

This host can ping inside interface but unable to pass traffic from inside to outside.

Update:

============

I just enter ISP dns on the client side but still same issue.

Onething more see here.

PIX501(config)# ping 110.34.33.124

        110.34.33.124 response received -- 0ms

        110.34.33.124 response received -- 0ms

        110.34.33.124 response received -- 0ms

PIX501(config)# ping 110.34.33.125

        110.34.33.125 NO response received -- 1000ms

        110.34.33.125 NO response received -- 1000ms

        110.34.33.125 NO response received -- 1000ms

Of course you would need to DNS, and you can't use 192.168.1.1 because PIX does not act as a DNS server.

Please configre the ISP DNS server.

Just take the access-group off for now while you are still testing:

no access-group outbound in interface inside

And also, you won't be able to ping 110.34.33.125 as it's a virtual IP.

Test to see if you can ping 110.34.33.97 from the host, if you can, that means you have connectivity through the PIX.

Well, when putting the DNS and disabling the

no access-group outbound in interface inside

Then working fine and when again enabling above command then not working so please help me what should i do to apply the access-list. is there any issue with the access-list?

Onething more can i put my local dns server so is it work?

Onething more why Tab button is not working - i mean completing the command.

You would have to configure access-list to allow DNS traffic.

Please add the following for DNS:

access-list outbound permit udp 192.168.1.0 255.255.255.0 any eq 53

For any of the traffic that you would like to allow outbound, once you configure the access-group, you would need to explicitly configure each traffic to go outbound.