Hi,

Heres the current config. Any advice is highly appreciated.

PIX501# sh run

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password (edit) encrypted

passwd (edit) encrypted

hostname xxxxxx

domain-name proxy.(ISP).net.ph

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 101 permit ip 192.168.x.0 255.255.x.x 10.4.x.x 255.255.x.x

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 210.23.x.x 255.255.x.x

ip address inside 192.168.x.x 255.255.x.x

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 210.23.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.x.x 255.255.x.x inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set xxxxxx esp-3des esp-md5-hmac

crypto map transam 1 ipsec-isakmp

crypto map transam 1 set peer 202.136.x.x

crypto map transam 1 set transform-set xxxxxx

crypto map transam interface outside

isakmp enable outside

isakmp key ******** address 202.136.x.x netmask 255.x.x.x

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:(edit)

: end

Thanks.

Mhel

Hi Mhel -

Q. Have you got a inside router with route to PIX?

Q. Can you ping the inside interface of the PIX form any inside PC's ?

Q. Have tried using 'clear xlate' cmd?

Q. What exact error messages are you getting / seeing ?

Pls. let me know.

Thanks - -

Hi,

Answer to the question(s)

1. Theres no inside router. The peer router that i mentioned is from the ISP side. The connection is:

PC--------------switch-------------PIX---------------dsl------------------internet

2. Yes

3. So far, I havent tried it yet

4. If im pointing my workstation to the inside ip of the PIX, it cant connect to the internet

Thanks

Mhel

OK Mhel --

Ok, Mhel - -

Another question which I didn't mention on my previous post is, have you tried any packet analysis on the PIX, i.e. > debug packet inside src

To stop the debug use > no debug packet inside, you can do this also for the outside interface but use the src (source) IP that is coming in to your network (an IP say, from your ISP).

Also, I notice that you don't seem to have any 'route inside' cmd on your PIX config?

i.e. > route inside 1

Hope the above makes sense and let me know how you get on.

Thanks --

Mhel -

Forgot to metion another thing on my previous post, Please be aware the 'debuging' can generate high CPU usage on the PIX so advisable not to do this on production PIX.

Thanks--

Hi,

I tried it already, the debug packet cmd. when im trying to add the route inside cmd, the output is "route already exist "

mhel

Mhel --

What does your PIX show when you do a 'show route inside' cmd ? Also, try cmd - 'no route inside' and then make sure you save it with cmd 'write memory' and then re-apply the 'ip route inside cmd' and see what happens.

Hope this helps, let me know how you get on.

Mehl,

Just curious, but what exactly do you mean by not able to connect to Internet. If looking to your config, you have the correct statements nat and global set, also the route statement seems correct to me. But with this config the PIX would not allow ICMP echo's coming back to your internal network, so "ping"would not work in this config (better to let this disable though).

Net thing to check would normally be if you can connect to an HTTP server on IP-adres only, cause most problems are not related to packets not traversing through the PIX to the outside, but the other way around. What I have seen in many cases is that there the DNS server of the Provider is used for name-resolving (better would be a split dns solution, but this is of topic off course)

If you are using split dns, this would not work in this config, cause replies of the outside dns server cannot travel back to your inside dns server.

If this is the case you would have to open the appropiate UDP ports used for DNS resolving.

Hope this helps.

Kind regards,

Leo

Hi,

Heres the output; I also include the route outside

sh route inside

inside 192.168.x.0 255.255.255.0 192.168.x.x (inside ip of PIX)1 CONNECT static

sh route outside

outside 0.0.0.0 0.0.0.0 210.23.x.161 1 OTHER static

outside 210.23.x.160 255.255.255.240 210.23.x.162 1 CONNECT static

Im trying to use the no route inside cmd but still "route already exist"

what do you think?

thanks

Mhel