I currently have two problems with my setup. They may be connected but not sure.
1. The outside link on the firewall will not reapond to and requests. I know that the exgternal connection is working but nothing is communicating. The internal network is mainly working through dhcp with a couple of oracle servers on static ip's. When trying to setup the nat nothing happens on the outside link and there is no traffic being sent to or from the connection. This is getting a bit of a headache.
2. The oracle servers keep dropping there connections internally and it seems as though the firewall is denying this from communicating.
Any suggestion would be appreciated as this is my first go at configuring a cisco.
Quick question, (and sorry if it sounds silly) is the outside interface of the pix up and running? If you issue sho int on the pix, it will show you the status of both interfaces. Are both interfaces showing up/up ?
OK, I presume you've tested the cables etc? What sort of network topology have you got? Is it:
Inside_Lan<-->Switch<-->PIX<-->Internet_Router OR something else.
From the pix can you ping the default-gateway ip, i.e. the IP addrs that the outside interface of the pix is connected to?
Can you post up your pix configuration (take out any sensitive info)
Let me know,
Topology is as suggested above
The cables and such are working fine and the the pix can ping the internet_router.
Current config is:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
enable password encrypted
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inside_access_in permit ip any any
access-list inside_access_in permit tcp any any
access-list inside_access_in permit udp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 126.96.36.199 255.255.255.240
ip address inside 192.168.16.2 255.255.255.0
ip address DMZ 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.16.0 255.255.255.255 inside
pdm location 192.168.16.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 150 interface
global (outside) 151 188.8.131.52
global (inside) 151 192.168.16.3-192.168.16.254 netmask 255.255.255.0
global (DMZ) 150 184.108.40.206-220.127.116.11 netmask 255.255.255.240
nat (inside) 150 0.0.0.0 0.0.0.0 0 0
access-group inside_access_in in interface inside
routing interface outside
routing interface inside
routing interface DMZ
rip inside default version 1
timeout xlate 3:00:00
timeout conn 0:00:00 half-closed 0:00:00 udp 0:00:00 rpc 0:00:00 h225 0:00:00
timeout h323 0:00:00 mgcp 0:00:00 sip 0:00:00 sip_media 0:00:00
timeout uauth 0:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.16.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
sysopt connection tcpmss 0
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.16.3-192.168.16.140 inside
dhcpd dns 18.104.22.168 22.214.171.124
dhcpd lease 43200
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Check your routing table !!!
Try to add a default route and see if it is going to work.
route outside 0.0.0.0 0.0.0.0 Gateway
Your access-list on the inside network does not make sense than without one it will permit the same.
All higher security level can communicate with a lower one if there is no acccess-list on that interfaces.
Is this a new install??
if so I have seen the MAC address of the (old)firewall locked down in the telco router. that will make the link come up but no data will pass.... to the new firewall because the router is sending at the MAC of the old firewall... You may want to put a sniffer in and take a look....
So far, there have been several good suggestions.
You will definitely want to put in a Default Route Statement as mentioned before.
Also, if you have access to the Router on the Outside of the PIX, you will want to clear it's ARP Table. If you are not sure how to do this, or if you don't have access to it, just power cycle the Router as this will clear it as well. I have seen many times where this has resolved your type of issue.
These two things should get you up and going. If not, please post an updated config and I will take another look.
Richard J. Bramble