Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
529
Views
0
Helpful
7
Replies

Browsing not working from lan

fmatrine
Level 1
Level 1

‎12-24-2004 07:00 AM - edited ‎03-09-2019 09:51 AM

Dear Sir,

We have a lan network 192.168.10.0/24

Topology of our network is LAN-PIX(506E)-Internet Router-ISP...

We hv configured the router and pix firewall as per our requirement.

Requirement is to allow lan users to access internet.

we are able to ping the outside but unable to browse from lan PC.

PC has default gateway as firewall internal interface.also we hv configured DNS in the network setting of PC....but still we are not getting internet pages...

we can ping the DNS and external world from lan.

we hv done PAT on Pix firewall for the Translation of private to public ip address.

PIX firewall config:-

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security10

enable password xxxx

passwd xxxx

hostname firewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

no fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

no fixup protocol rsh 514

no fixup protocol rtsp 554

no fixup protocol sip 5060

fixup protocol sip udp 5060

no fixup protocol skinny 2000

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_access_in permit icmp any any

access-group outside_access_in in interface outside

access-list in_access_outside permit tcp any any

access-list in_access_outside permit udp any any

access-list in_access_outside permit ip any any

access-group in_access_outside in interface inside

pager lines 24

logging timestamp

logging trap debugging

logging history notifications

logging host inside 192.168.18.4

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside XXX.64.9.2 255.255.255.240

ip address inside 192.168.10.1 255.255.255.0

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

no pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 XXX.64.9.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

snmp-server host inside 192.168.18.5

no snmp-server location

no snmp-server contact

snmp-server community xxxx

snmp-server enable traps

floodguard enable

telnet timeout 2

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxx

: end

Kindly guide for the same

rgds

Labels:
0 Helpful
7 Replies 7

jmia
Level 7
Level 7

‎12-24-2004 07:30 AM

Hi,

Firstly, by default the pix will allow any inside traffic out, so, I would suggest to you to clear the ACL's for the inside interface and the outside interface first.

After this you can start to configure ACL's and statics for any traffic you want to permit in from the outside on the outside interface, for example SMTP etc.

When you have cleared the ACL's make sure to save with write mem and also, a clear xlate would be a good idea too.

Let me know if this helps.

Jay

0 Helpful

fmatrine
Level 1
Level 1
In response to jmia

‎12-26-2004 09:00 PM

Hi,

Still not working...

I can ping internet sites (e.g, www.yahoo.com) by name but still i cannot browse the same site from my PC.

Kindly advice

rgds

0 Helpful

rpathani
Level 1
Level 1

‎12-26-2004 09:55 PM

Hi Kindly give the following commands on the Pix from the config terminal mode in the order in which these are writen:

clear access-list in_access_outside

fixup protocol dns maximum-length 1500

clear xlate

clear arp

clear local

write mem

Now try to access internet from your internal lan. If this dosen't work then try changing the primary and secondary DNS server address on the host and then see if this works for you.

It seems to be that the internal hosts are not resolving dns queries.

I'm sure this would help you.

Rahul Pathania.

0 Helpful

yboul1234
Level 1
Level 1
In response to rpathani

‎12-29-2004 03:47 AM

I have a similar problem but the above solution does not work.

Any other suggestions?

0 Helpful

rpathani
Level 1
Level 1

‎12-26-2004 10:00 PM

And yes, in addition to this the config you sent does not look that to be of Pix-506E as stated by you since you have mentioned about 3 interfaces on Pix and 506E model has only 2 interfaces.

Also to let you know that in most of these cases it is a internal DNS Server issue.

Rahul Pathania.

0 Helpful

fmatrine
Level 1
Level 1
In response to rpathani

‎12-27-2004 01:15 AM

Hi Rahul,

Thnx for the guidance....

Will try this and get back with the results...

Also is the In_Out access-list not required...

rgds

0 Helpful

rpathani
Level 1
Level 1

‎12-27-2004 08:40 AM

Hi,

Yes, we do not require in_access_outside access-list as by default the traffic is permitted from higher to lower security level.

1) For traffic flow from higher to lower security, we need:

nat and global

OR

static

2) For traffic flow from lower to higher security, we need:

static and access-list.

Warm Regards,

Rahul.

0 Helpful
Customers Also Viewed These Support Documents