Re: PIX 515e Networking

hardypeter · ‎11-16-2004

I currently have two problems with my setup. They may be connected but not sure.

1. The outside link on the firewall will not reapond to and requests. I know that the exgternal connection is working but nothing is communicating. The internal network is mainly working through dhcp with a couple of oracle servers on static ip's. When trying to setup the nat nothing happens on the outside link and there is no traffic being sent to or from the connection. This is getting a bit of a headache.

2. The oracle servers keep dropping there connections internally and it seems as though the firewall is denying this from communicating.

Any suggestion would be appreciated as this is my first go at configuring a cisco.

Peter

jmia · ‎11-16-2004

Peter,

Quick question, (and sorry if it sounds silly) is the outside interface of the pix up and running? If you issue sho int on the pix, it will show you the status of both interfaces. Are both interfaces showing up/up ?

Jay

hardypeter · ‎11-16-2004

Jay

yes both interfaces are up and running the outside just wont communicate.

Peter

jmia · ‎11-16-2004

Peter,

OK, I presume you've tested the cables etc? What sort of network topology have you got? Is it:

Inside_Lan<-->Switch<-->PIX<-->Internet_Router OR something else.

From the pix can you ping the default-gateway ip, i.e. the IP addrs that the outside interface of the pix is connected to?

Can you post up your pix configuration (take out any sensitive info)

Let me know,

Jay

hardypeter · ‎11-16-2004

Jay

Topology is as suggested above

Inside_Lan<-->Switch<-->PIX<-->Internet_Router

The cables and such are working fine and the the pix can ping the internet_router.

Current config is:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security4

enable password encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inside_access_in permit ip any any

access-list inside_access_in permit tcp any any

access-list inside_access_in permit udp any any

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside 195.188.41.178 255.255.255.240

ip address inside 192.168.16.2 255.255.255.0

ip address DMZ 10.1.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.16.0 255.255.255.255 inside

pdm location 192.168.16.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 150 interface

global (outside) 151 195.188.16.179

global (inside) 151 192.168.16.3-192.168.16.254 netmask 255.255.255.0

global (DMZ) 150 195.188.41.180-195.188.41.181 netmask 255.255.255.240

nat (inside) 150 0.0.0.0 0.0.0.0 0 0

access-group inside_access_in in interface inside

routing interface outside

routing interface inside

routing interface DMZ

rip inside default version 1

timeout xlate 3:00:00

timeout conn 0:00:00 half-closed 0:00:00 udp 0:00:00 rpc 0:00:00 h225 0:00:00

timeout h323 0:00:00 mgcp 0:00:00 sip 0:00:00 sip_media 0:00:00

timeout uauth 0:00:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.16.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection tcpmss 0

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.16.3-192.168.16.140 inside

dhcpd dns 193.38.113.3 194.117.157.4

dhcpd lease 43200

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Peter

Patrick Iseli · ‎11-16-2004

Check your routing table !!!

Try to add a default route and see if it is going to work.

route outside 0.0.0.0 0.0.0.0 Gateway

Your access-list on the inside network does not make sense than without one it will permit the same.

All higher security level can communicate with a lower one if there is no acccess-list on that interfaces.

sincerely

Patrick

benyancey · ‎11-16-2004

Is this a new install??

if so I have seen the MAC address of the (old)firewall locked down in the telco router. that will make the link come up but no data will pass.... to the new firewall because the router is sending at the MAC of the old firewall... You may want to put a sniffer in and take a look....

good luck,

ben

rckymtn · ‎11-16-2004

So far, there have been several good suggestions.

You will definitely want to put in a Default Route Statement as mentioned before.

Also, if you have access to the Router on the Outside of the PIX, you will want to clear it's ARP Table. If you are not sure how to do this, or if you don't have access to it, just power cycle the Router as this will clear it as well. I have seen many times where this has resolved your type of issue.

These two things should get you up and going. If not, please post an updated config and I will take another look.

Richard J. Bramble

ribrambl@rmcare.com