Announcement

Collapse
No announcement yet.

Configure a pix 501 for the first time

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Configure a pix 501 for the first time

    Hi i have config a pix 501 for the first time but i cannot access internet
    I will try to give you the more info i can


    I have a cable access internet with ip address 24.201.x.x 255.255.255.0
    My internal network is 192.168.1.0/255.255.255.0
    My pix internal interface is 192.168.1.3
    I have one Dell PowerConnect 2708 with ip address 192.168.1.2 with default gw 192.168.1.3

    So my cable access goes to port 0 of the pix.
    In port 1 of the pix i have one cable that goes into port 1 of the dell switch
    In port 2 of the switch i have one cable that go into my pc
    My pc is 192.168.1.100/255.255.255.0 with default gw 192.168.1.2. I use the dns of my internet provider (videotron)
    Ive made only one rule in my pix to allow the network 192.168.0.1/255.255.255.0 to access internet
    The problem is that i cannot access any webpage and ping anythin
    I join u the config of the pix
    Thanks to help me
    Jac

    : Saved
    : Written by enable_15 at 23:56:55.776 UTC Thu Jan 22 2009
    PIX Version 6.3(5)
    interface ethernet0 10full
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 2KFQnbNIdI.2KYOU encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname jacpix
    domain-name test
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq www
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 24.201.x.x 255.255.255.0
    ip address inside 192.168.1.3 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 192.168.1.100 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 24.201.8.206 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.1.100 255.255.255.255 inside
    http 192.168.1.101 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet 192.168.1.0 255.255.255.0 inside
    telnet 192.168.1.100 255.255.255.255 inside
    telnet timeout 60
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.4-192.168.1.35 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:20662a7aaef6affe7635dcc2956c6a99

  • #2
    Re: Configure a pix 501 for the first time

    Depending on your setup you should probably have your PCs default gateway as the PIX as well?

    Your outbound access-list is only allowing traffic with a destination of www therefore it doesn't allow DNS etc.
    Code:
    access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq www
    I would remove that access-list and see if things work. The PIX is stateful so will allow the responses back. You can lock down your outbound traffic once you confirm you have internet access working.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Configure a pix 501 for the first time

      I remove the line

      access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq www

      And put my gw on my pc to 192.168.1.3

      But i cannot ping anything outside again

      Comment


      • #4
        Re: Configure a pix 501 for the first time

        Firstly confirm you can log onto the PIX and ping a public IP address and your internal server and client machines. Can you confirm that works ok please?

        To get internet access the easiest way is nat/global which you have here:

        Code:
        nat (inside) 1 0.0.0.0 0.0.0.0 0 0
        global (outside) 1 interface
        I note your dhcp daemon isn't giving out DNS servers as well?
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: Configure a pix 501 for the first time

          Ok to be easier, i remove my dell switch and i add my 2 dns to the dhcp server in the pix.

          I connected my diretly in the pix and obtain ip address 192.168.1.5 with gw 192.168.1.3 and the 2 dns.

          I can ping the pix but the pix can't ping me (i verify if windows firewall war turn on and i confirm that windows firewall service is turn off)

          Whats next ?

          Thanks for your help

          Comment


          • #6
            Re: Configure a pix 501 for the first time

            Can the pix ping externally?
            There must be something else stopping the PIX from being able to ping your machine but if you can ping it then it should probably be ok as we have a connection. Rather than using ping can you just try browsing the internet?

            How many public IP addresses do you have? You have set /24 for your subnet mask?
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: Configure a pix 501 for the first time

              Ok everything is ok now

              I had to power off cable modem and pix

              Power on cable modem and pix and now i can access internet

              Thanks for your help

              Comment


              • #8
                Re: Configure a pix 501 for the first time

                It's always the simple things!
                Glad it is working now.
                cheers
                Andy

                Please read this before you post:


                Quis custodiet ipsos custodes?

                Comment


                • #9
                  Re: Configure a pix 501 for the first time

                  I want to configure RDP and torrent access to my pc

                  RDP work great and here how i did it

                  RDP session
                  access-list outside_access_in permit tcp any interface outside eq 3389
                  static (inside,outside) tcp interface 3389 JAC-PC 3389 netmask 255.255.255.255 0 0


                  torrent session

                  static (inside,outside) tcp interface 6881 JAC-PC 6881 netmask 255.255.255.255 0 0
                  access-list outside_access_in permit tcp any interface outside eq 6881


                  access-group outside_access_in in interface outside


                  I can rdp to my pc but when i open utorrent, the port seem to be close

                  If i telnet to my outside ip address on port 6881 i dont have access


                  Any help

                  Thanks

                  Comment


                  • #10
                    Re: Configure a pix 501 for the first time

                    That looks correct to me.
                    It seems more likely that utorrent isn't listening when you test it.
                    Can the PIX now ping your client machine? If still not then it may still have something on it that is blocking connections.
                    cheers
                    Andy

                    Please read this before you post:


                    Quis custodiet ipsos custodes?

                    Comment


                    • #11
                      Re: Configure a pix 501 for the first time

                      yes my pix can ping my pc

                      Bedore when i was using utorrent with my linksys wifi router everything was working just fine...with the pix it dont work

                      Comment


                      • #12
                        Re: Configure a pix 501 for the first time

                        If you run a wireshark do you see the packets on the PC side of the PIX?
                        If you load up the PDM you can also watch the logs to see if there are drops.
                        cheers
                        Andy

                        Please read this before you post:


                        Quis custodiet ipsos custodes?

                        Comment

                        Working...
                        X