-
January 9th, 2004, 02:17 PM
#1
Member
HELP -Pix 501/Setup
I'm newbie on Cisco Pix-501.
My setup is as follow;
Public network: x.x.x.112 255.255.255.248
Public router ip default gateway: x.x.x.118
Pix 501
Ethernet0 (outside) x.x.x.117 netmask 255.255.255.248
Ethernet1 (inside) 192.168.1.0 netmask 255.255.255.0
Global (outside) 1 x.x.x.118 netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Route outside 0.0.0.0 0.0.0.0 x.x.x.118 1
Access-list acl_outbound permit tcp 192.168.1.0 255.255.255.0 any
access-group acl_outbound in interface inside
PROBLEM;
CAN - CONNECT FROM HOST 192.168.1.2 TO PIX X.X.X.117
CAN NOT CONNECT FROM HOST 192.168.1.2 PIX X.X.X.117, ROUTER X.X.X.118 OR ANY INTERNET HOST
CAN - CONNECT FROM PIX TO ANY HOST ON 192.168.1.0 NETWORK
CAN - CONNECT FROM PIX TO ANY HOST ON THE INTERNET
Basically pix is not forwarding or routing tcp traffic from hosts on inside(Local) to hosts on outside(Internet).
I'd appreciate if someone could help me with this, I may have missed something somewhere. Thanks
NO PROBLEMS WITH ROUTER X.X.X.118 BECAUSE IT'S UP AND RUNNING WITH OTHER INTERNAL CONNECTIONS.
-
January 9th, 2004, 02:29 PM
#2
Did you check the Cisco website? Cisco has sh*tloads of info.
http://www.cisco.com/pcgi-bin/search...isco.com%23TSD
Oliver's Law:
Experience is something you don't get until just after you need it.
-
January 9th, 2004, 02:44 PM
#3
Junior Member
Looking at your config it looks like you are setting up x.x.x.118 to be your PAT address, but it appears that address is on the router:
Public network: x.x.x.112 255.255.255.248
Public router ip default gateway: x.x.x.118
You need to have a separate public IP address on the PIX for your PAT address. You should use another address in your range. At the PIX command prompt, type "show xlate" and this will show your PAT translations.
The usable addresses should be 113 through 116 unless you already have them in use on public servers.
You may also need an inside route to send the traffic back to the internal lan.
Just a comment, your entry "nat (inside) 1 0.0.0.0 0.0.0.0 0 0" should be limited to your private ip range, but this should not affect the issue you are having now.
\"Any sufficiently advanced technology is indistinguishable from magic.\" - Arthur C. Clarke
-
January 9th, 2004, 02:48 PM
#4
Member
Yes, I have but there lots of them, just found a new one http://www.cisco.com/en/US/products/...0800eb0b0.html
I will read through it to see if I can spot the fault.
Thanks
-
January 9th, 2004, 04:26 PM
#5
Member
Gulducat,
Just one correction, it is possible to use a single IP address as both the outside interface, and the PAT address, I do not have a PIX up at the moment, but IIRC, you need to use
global (outside) 1 interface
instead of
Global (outside) 1 x.x.x.118 netmask 255.255.255.248
to allow PAT to the external interface.
In addition to the other PAT rules of course.
-
January 9th, 2004, 04:55 PM
#6
Junior Member
Tabich,
I agree that you can use the same IP as the outside IP and the PAT IP, but it looks like mickey05 has x.x.x.118 on a different device. See his entries:
"
Public network: x.x.x.112 255.255.255.248
Public router ip default gateway: x.x.x.118
Ethernet0 (outside) x.x.x.117 netmask 255.255.255.248
Global (outside) 1 x.x.x.118 netmask 255.255.255.248
CAN NOT CONNECT FROM HOST 192.168.1.2 PIX X.X.X.117, ROUTER X.X.X.118 OR ANY INTERNET HOST
So x.x.x.117 could be used for the PAT address, but my preferred method is to use a separate IP for PAT.
\"Any sufficiently advanced technology is indistinguishable from magic.\" - Arthur C. Clarke
-
January 9th, 2004, 05:27 PM
#7
Member
============From GOOGLE FORUM===============
Hi,
I'm also new to the PIX firewalls, but after reading a book "Cisco PIX firewalls" by Osborne, I got my PIC to work almost flawless for the
basic stuff. If you only have one public IP address you need to use
the PAT feature of the PIX:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Another advice that brought me from deep frustration to almost like
Cisco was switching from the PDM to the serial interface. When you
The router is actually a ADSL Modem with 5 public ip x.x.x.113-117 and default x.x.x.118. There is a connection to one router with two inside interface (192.168.0.1-192.168.0.9) and two ouside interface (x.x.x.113 and x.x.x.115) and ip x.x.x.114 is being use by an ip telephone router with inside 192.168.0.100.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Tried the above and it disconnect the ip telephones and the connection from 192.168.0.1 network. Any suggestions?
-
January 9th, 2004, 05:36 PM
#8
Member
Ah,
I missed that Gulducat...
-
January 9th, 2004, 06:54 PM
#9
Junior Member
Tabich,
Where is the PIX located, behind the DSL modem or behind the router with the 2 outside and 2 inside ip's? And do you need to outside ip addresses?
\"Any sufficiently advanced technology is indistinguishable from magic.\" - Arthur C. Clarke
-
January 9th, 2004, 07:32 PM
#10
Member
I may be misunderstanding you, but, it looks like you need to add a static nat(in addition to the pat for the interface) for x.x.x.14 to 192.168.0.100 for your IP telephone. Then of course make sure that the rules are correct for it.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|