Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: HELP -Pix 501/Setup

  1. #1

    HELP -Pix 501/Setup

    I'm newbie on Cisco Pix-501.
    My setup is as follow;

    Public network: x.x.x.112 255.255.255.248
    Public router ip default gateway: x.x.x.118

    Pix 501
    Ethernet0 (outside) x.x.x.117 netmask 255.255.255.248
    Ethernet1 (inside) 192.168.1.0 netmask 255.255.255.0

    Global (outside) 1 x.x.x.118 netmask 255.255.255.248
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    Route outside 0.0.0.0 0.0.0.0 x.x.x.118 1

    Access-list acl_outbound permit tcp 192.168.1.0 255.255.255.0 any
    access-group acl_outbound in interface inside

    PROBLEM;
    CAN - CONNECT FROM HOST 192.168.1.2 TO PIX X.X.X.117
    CAN NOT CONNECT FROM HOST 192.168.1.2 PIX X.X.X.117, ROUTER X.X.X.118 OR ANY INTERNET HOST

    CAN - CONNECT FROM PIX TO ANY HOST ON 192.168.1.0 NETWORK
    CAN - CONNECT FROM PIX TO ANY HOST ON THE INTERNET

    Basically pix is not forwarding or routing tcp traffic from hosts on inside(Local) to hosts on outside(Internet).

    I'd appreciate if someone could help me with this, I may have missed something somewhere. Thanks

    NO PROBLEMS WITH ROUTER X.X.X.118 BECAUSE IT'S UP AND RUNNING WITH OTHER INTERNAL CONNECTIONS.
    smilies are ON

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Did you check the Cisco website? Cisco has sh*tloads of info.

    http://www.cisco.com/pcgi-bin/search...isco.com%23TSD
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Junior Member
    Join Date
    Nov 2003
    Posts
    15
    Looking at your config it looks like you are setting up x.x.x.118 to be your PAT address, but it appears that address is on the router:

    Public network: x.x.x.112 255.255.255.248
    Public router ip default gateway: x.x.x.118

    You need to have a separate public IP address on the PIX for your PAT address. You should use another address in your range. At the PIX command prompt, type "show xlate" and this will show your PAT translations.

    The usable addresses should be 113 through 116 unless you already have them in use on public servers.

    You may also need an inside route to send the traffic back to the internal lan.

    Just a comment, your entry "nat (inside) 1 0.0.0.0 0.0.0.0 0 0" should be limited to your private ip range, but this should not affect the issue you are having now.
    \"Any sufficiently advanced technology is indistinguishable from magic.\" - Arthur C. Clarke

  4. #4
    Yes, I have but there lots of them, just found a new one http://www.cisco.com/en/US/products/...0800eb0b0.html

    I will read through it to see if I can spot the fault.

    Thanks
    smilies are ON

  5. #5
    Gulducat,

    Just one correction, it is possible to use a single IP address as both the outside interface, and the PAT address, I do not have a PIX up at the moment, but IIRC, you need to use

    global (outside) 1 interface

    instead of

    Global (outside) 1 x.x.x.118 netmask 255.255.255.248

    to allow PAT to the external interface.

    In addition to the other PAT rules of course.

  6. #6
    Junior Member
    Join Date
    Nov 2003
    Posts
    15
    Tabich,

    I agree that you can use the same IP as the outside IP and the PAT IP, but it looks like mickey05 has x.x.x.118 on a different device. See his entries:

    "
    Public network: x.x.x.112 255.255.255.248
    Public router ip default gateway: x.x.x.118
    Ethernet0 (outside) x.x.x.117 netmask 255.255.255.248
    Global (outside) 1 x.x.x.118 netmask 255.255.255.248
    CAN NOT CONNECT FROM HOST 192.168.1.2 PIX X.X.X.117, ROUTER X.X.X.118 OR ANY INTERNET HOST
    So x.x.x.117 could be used for the PAT address, but my preferred method is to use a separate IP for PAT.
    \"Any sufficiently advanced technology is indistinguishable from magic.\" - Arthur C. Clarke

  7. #7
    ============From GOOGLE FORUM===============
    Hi,

    I'm also new to the PIX firewalls, but after reading a book "Cisco PIX firewalls" by Osborne, I got my PIC to work almost flawless for the
    basic stuff. If you only have one public IP address you need to use
    the PAT feature of the PIX:
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    Another advice that brought me from deep frustration to almost like
    Cisco was switching from the PDM to the serial interface. When you
    The router is actually a ADSL Modem with 5 public ip x.x.x.113-117 and default x.x.x.118. There is a connection to one router with two inside interface (192.168.0.1-192.168.0.9) and two ouside interface (x.x.x.113 and x.x.x.115) and ip x.x.x.114 is being use by an ip telephone router with inside 192.168.0.100.

    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    Tried the above and it disconnect the ip telephones and the connection from 192.168.0.1 network. Any suggestions?
    smilies are ON

  8. #8
    Ah,

    I missed that Gulducat...

  9. #9
    Junior Member
    Join Date
    Nov 2003
    Posts
    15
    Tabich,

    Where is the PIX located, behind the DSL modem or behind the router with the 2 outside and 2 inside ip's? And do you need to outside ip addresses?
    \"Any sufficiently advanced technology is indistinguishable from magic.\" - Arthur C. Clarke

  10. #10
    I may be misunderstanding you, but, it looks like you need to add a static nat(in addition to the pat for the interface) for x.x.x.14 to 192.168.0.100 for your IP telephone. Then of course make sure that the rules are correct for it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •