Pix Problems, need some guidance

rakemrakem Member Posts: 800
Im setting up a PIX 506 firewall, i havent done much firewall stuff so i need a little help.

Currently i have my workstation directly connected to the pix. I can ping the inside interface fine.

The pix is then directly connected to a Cisco router, which is connected to another Cisco router, when then connects to the internet, the routers have full connectivity. From the pix i can ping all router interfaces, all remote sites, basically everything. However when i try to connect to the internet from my computer it fails and i cant ping any further that the PIXs inside interface from my machine.

Here is the PIX config:
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname bevpix
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list test permit tcp any any
access-list test permit ip any any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.2 255.255.255.0
ip address inside 10.1.19.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
access-group test in interface outside
access-group test in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:34c42b53ef981c999bf9bb4db93dad43

One thing that i dont understand, do i need to configure NAT at all? we have NAT configured on the router.

Im sure there is some configurations that im missing but i just need some guidance.... thanks!
CCIE# 38186
showroute.net

Comments

  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Configure NAT from the inside out.

    eg.

    NAT (INSIDE) 1 10.1.19.0 255.255.255.0
    GLOBAL (OUTSIDE) 1 Interface

    This sets up PAT using the PIX's outside IP. A pix won't route traffic so much as translate it between interfaces.


    Also whats the default gateway on your PC?
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    I'm not sure about the 506, but I've had some some PIX firewalls that won't work well with private IP's on the external (outside) interface.

    If your outside interface is using private (192.168, 10.0 or 172.16-31) try taking the 2 routers out of the picture and let your PIX use the public IP from the ISP on it's outside interface and see if it works.
    All things are possible, only believe.
  • forbeslforbesl Member Posts: 454
    Here's everything you need to know about setting up your PIX with OS 6.0...

    Cisco PIX Firewall Configuration Guide, Version 6.0
  • rakemrakem Member Posts: 800
    thats for all that guys, its working now.
    CCIE# 38186
    showroute.net
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    What was the answer, or what did you do to fix it?
    All things are possible, only believe.
  • forbeslforbesl Member Posts: 454
    sprkymrk wrote:
    I'm not sure about the 506, but I've had some some PIX firewalls that won't work well with private IP's on the external (outside) interface.

    PIX does not differentiate between what is a "private" IP and what is a "public" IP....it doesn't care. It's all in the configuration. If it ain't working, it's configured wrong.
  • garv221garv221 Member Posts: 1,914
    I agree- a PIX does exactly what its told. It may take a few trial runs and PIX versions to get it right though.
Sign In or Register to comment.