03-12-2005 12:05 PM - edited 03-05-2019 11:28 AM
Hi:
I have a new Pix 501 firewall. I set it up from the new out of the box default configuration to use PPPOE. I can ping internet IP addresses from the router so I know the connection is up and working. I can access the inside port of the router from the LAN. I cannot access the outside port of the router from the network. I cannot browse either. I am pretty sure there is something missing in the address translation setup. It is setup to use a dynamic IP address on the outside port. It is setup for PAT using the IP address of the interface.
Thanks
03-12-2005 06:11 PM
If you can ping internet IP addresses then it sounds like a DNS problem. If you are using the PIX to supply DHCP, make sure that you have the following command in the config:
dhcpd auto_config outside
It will then supply the DNS addresses that it obtains from your ISP to your computers.
03-12-2005 08:20 PM
I can ping the internet from the router. I cannot ping the outside port of the router from the LAN. I cannot ping any internet IP address from my PC on the LAN. I am trying to ping ip addresses only not url's.
03-12-2005 09:44 PM
Could you post pix configs please.
Is the pix assigning ip address to the pc? Is the pix outside interface up? Is the default gateway setup?
Regards,
Mustafa
03-13-2005 06:50 PM
Yes the pix is assigning ip addresses to the PC.
Yes the pix outside interface is up.
I am not sure about the default gateway. On the inside or the outside. I assume the outside is up because I can ping the internet from the router. I cannot when I try to ping from the PC.I cannot even ping the outside IP from the PC.
configs follow
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx
passwd xxxx
hostname kpcwall
domain-name local.kpcacctg.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service Telnet tcp
port-object eq telnet
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.1 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname name
vpdn group pppoe_group ppp authentication pap
vpdn username name password *********
dhcpd address 192.168.1.21-192.168.1.50 inside
dhcpd dns 192.168.1.9 198.235.216.131
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:xxxx
: end
[OK]
03-13-2005 10:34 PM
The PIX configs seem ok for pppoe, however the network setup is not clear. Do you have a router between the pix and the cable/dsl modem, or is the pix connected directly to the modem? i.e.
pc ---- inside|pix|outside ---- ethernet|ISP modem|cable/dsl ---- ISP
pc ---- inside|pix|outside ---- ethernet|router|ethernet ---- ethernet|ISP modem|cable/dsl ---- ISP
If the pix is connected directly to the modem, what is the output of:
sho ip addr outside pppoe
sho vpdn
sho vpdn ?
sho ip route
sho conn
If there is a router between the pix and the modem, then pppoe should be disabled on the pix - enabled on the router, the outside ip address should be assigned (manually or via dhcp from the router), and the default gateway should be specified:
route outside 0.0.0.0 0.0.0.0 r.r.r.r (router's directly connected ip address)
Let us know please
Regards,
Mustafa
03-14-2005 05:16 AM
I have it working. I am not sure what I did to get it working. It is connected directly to the modem. Now I need to get the VPN client and set that up. I have been a technician for about 10 years. I have experience with wide area networks with other routers. I have not done a lot with Cisco routers. What would be a good reference to get started with Cisco IOS.
Thanks
Tom
06-16-2005 11:20 AM
hi tom ,
just on an experimental basis set up one single machine on dmz with security level 50 and see if you can ping the outside ip address , if you are able to ping that then I think there are some more rules which are blocking icmp access to the internet from the LAN
please let me know about this
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide