Announcement

Collapse
No announcement yet.

PIX Problem on Home LAN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • PIX Problem on Home LAN

    LAN--->PIX--->Cisco Router--->Router(Linksys)---->Internet

    I'm having problem with PIX after I add it to my Network. My host
    host computers can't access the Internet now.

    Could someon assit me with configuring my PIX?

    Below is my configuration:


    PIX Version 6.3(5)
    interface ethernet0 100full
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password pGpYPZJxUjuCnyxs encrypted
    passwd pGpYPZJxUjuCnyxs encrypted
    hostname pixfirewall
    domain-name study.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 192.168.5.219 255.255.255.0
    ip address inside 192.168.1.3 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    global (outside) 1 192.168.1.2-192.168.1.255
    global (outside) 1 interface
    global (outside) 1 192.168.4.220
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 192.168.4.222 2
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet 192.168.1.105 255.255.255.255 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    banner exec bannner exec
    banner exec bannner exec Unauthorized Access Will Be Terminated By Unforeseen Ev
    en
    Cryptochecksum:12031d4da329a23ec69586f65d678d82
    : end
    pixfirewall#
    !
    !
    !
    !
    !
    !
    !
    studyrouter#sh runn
    Current configuration : 3101 bytes
    !
    ! Last configuration change at 10:40:57 MST Mon Mar 1 1993
    !
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname studyrouter
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$qPFa$Oj.SOSZq11B0V.ccD...p/
    enable password 7 1414130900012E2A332F
    !
    clock timezone MST 0
    no aaa new-model
    ip subnet-zero
    ip cef
    !
    ip domain name tsignal.com
    !
    ip dhcp pool vlan2
    network 192.168.2.0 255.255.255.0
    dns-server 68.105.XX.XX
    default-router 192.168.2.2
    !
    ip dhcp pool MYPOOL
    network 192.168.1.0 255.255.255.0
    dns-server 68.105.XX.XX
    default-router 192.168.1.1
    !
    ip audit po max-events 100
    !
    !
    username tsignal32 privilege 15 password 7 15110A0E082F2F253F34
    !
    !
    interface FastEthernet0/0
    ip address 192.168.4.223 255.255.255.0
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    ip address 192.168.5.218 255.255.255.0
    duplex auto
    speed auto
    !
    interface FastEthernet0/1.2
    encapsulation dot1Q 2
    ip address 192.168.2.2 255.255.255.0
    no snmp trap link-status
    ip http server
    ip http secure-server
    ip classless
    ip route 0.0.0.0 0.0.0.0 192.168.4.222 (Linksys Router)
    !
    !
    !
    snmp-server community public RW
    snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

    snmp-server enable traps tty
    snmp-server enable traps xgcp
    snmp-server enable traps isdn call-information
    snmp-server enable traps isdn layer2
    snmp-server enable traps isdn chan-not-avail
    snmp-server enable traps isdn ietf
    snmp-server enable traps hsrp
    snmp-server enable traps config
    snmp-server enable traps entity
    snmp-server enable traps config-copy
    snmp-server enable traps envmon
    snmp-server enable traps bgp
    snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-messa
    ge
    snmp-server enable traps ipmulticast
    snmp-server enable traps msdp
    snmp-server enable traps rsvp
    snmp-server enable traps frame-relay
    snmp-server enable traps frame-relay subif
    snmp-server enable traps rtr
    snmp-server enable traps syslog
    snmp-server enable traps stun
    snmp-server enable traps dlsw
    snmp-server enable traps bstun
    snmp-server enable traps dial
    snmp-server enable traps dsp card-status
    snmp-server enable traps atm subif
    snmp-server enable traps pppoe
    snmp-server enable traps ipmobile
    snmp-server enable traps isakmp policy add
    snmp-server enable traps isakmp policy delete
    snmp-server enable traps isakmp tunnel start
    snmp-server enable traps isakmp tunnel stop
    snmp-server enable traps ipsec cryptomap add
    snmp-server enable traps ipsec cryptomap delete
    snmp-server enable traps ipsec cryptomap attach
    snmp-server enable traps ipsec cryptomap detach
    snmp-server enable traps ipsec tunnel start
    snmp-server enable traps ipsec tunnel stop
    snmp-server enable traps ipsec too-many-sas
    snmp-server enable traps voice poor-qov
    snmp-server enable traps dnis
    snmp-server host 192.168.1.1 version 2c public
    !
    !

    line con 0
    password 7 06050E23404B0D181210
    line aux 0
    line vty 0 4
    password 7 104D081B0912160A1B03
    login local
    transport input telnet
    !
    ntp master
    ntp server 192.168.1.1
    !
    end

    studyrouter#

  • #2
    Re: PIX Problem on Home LAN

    Hi,

    If you have 2003 server then I would change
    "fixup protocol dns maximum-length 512"
    to
    "no fixup protocol dns"
    to disable it (or change 2003 to not use eDNS).

    You can remove these as you already have the global interface setup.
    global (outside) 1 192.168.4.220
    global (outside) 1 192.168.1.2-192.168.1.255

    You also have this:
    ip address outside 192.168.5.219 255.255.255.0
    with this.
    route outside 0.0.0.0 0.0.0.0 192.168.4.222 2
    so you need to change the route to
    route outside 0 0 IPAddressOfCiscoRouter
    because this is the next hop.

    For troubleshooting you should always make sure each device can ping its next hop in this situation.

    Can you give that a go and let us know?
    Last edited by AndyJG247; 7th April 2008, 10:37.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: PIX Problem on Home LAN

      Andy,

      Thanks - For the response. I do not have a Server 2003 connect to my LAN. I made changes, but I still can not access the Internet.

      One of the main reason that I notice are my PIX interface0 line protocol is down, and my Cisco interface fa0/1 line protocol is down. Neither have a link light on.

      I thought it probably was the cable from the PIX int ethernet0 to Router fa0/1 needed to be a crossover cable, so I tried that with no luck.

      Below is my updated configuration for the PIX and Router:


      pixfirewall# sh int ethernet0
      interface ethernet0 "outside" is up, line protocol is down
      Hardware is i82559 ethernet, address is 000b.5fa1.ac13
      IP address 192.168.5.219, subnet mask 255.255.255.0
      MTU 1500 bytes, BW 100000 Kbit full duplex
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0

      ignored, 0 abort
      1 packets output, 60 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      input queue (curr/max blocks): hardware (128/12

      software (0/0)
      output queue (curr/max blocks): hardware (0/1)

      software (0/1)
      pixfirewall#
      !
      !
      !
      pixfirewall# sh runn
      PIX Version 6.3(5)
      interface ethernet0 100full
      interface ethernet1 100full
      nameif ethernet0 outside security0
      nameif ethernet1 inside security100
      enable password pGpYPZJxUjuCnyxs encrypted
      passwd pGpYPZJxUjuCnyxs encrypted
      hostname pixfirewall
      domain-name study.com
      fixup protocol dns maximum-length 512
      fixup protocol ftp 21
      fixup protocol h323 h225 1720
      fixup protocol h323 ras 1718-1719
      fixup protocol http 80
      fixup protocol rsh 514
      fixup protocol rtsp 554
      fixup protocol sip 5060
      fixup protocol sip udp 5060
      fixup protocol skinny 2000
      fixup protocol smtp 25
      fixup protocol sqlnet 1521
      fixup protocol tftp 69
      names
      pager lines 24
      logging on
      logging buffered debugging
      mtu outside 1500
      mtu inside 1500
      ip address outside 192.168.5.219 255.255.255.0
      ip address inside 192.168.1.3 255.255.255.0
      ip audit info action alarm
      ip audit attack action alarm
      pdm history enable
      arp timeout 14400
      global (outside) 1 interface
      route outside 0.0.0.0 0.0.0.0 192.168.5.218 1
      timeout xlate 3:00:00
      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc

      0:10:00 h225 1:00:00
      timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media

      0:02:00
      timeout sip-disconnect 0:02:00 sip-invite 0:03:00
      timeout uauth 0:05:00 absolute
      aaa-server TACACS+ protocol tacacs+
      aaa-server TACACS+ max-failed-attempts 3
      aaa-server TACACS+ deadtime 10
      aaa-server RADIUS protocol radius
      aaa-server RADIUS max-failed-attempts 3
      aaa-server RADIUS deadtime 10
      aaa-server LOCAL protocol local
      http server enable
      no snmp-server location
      no snmp-server contact
      snmp-server community public
      no snmp-server enable traps
      floodguard enable
      telnet 192.168.1.105 255.255.255.255 inside
      telnet timeout 15
      ssh timeout 5
      console timeout 0
      terminal width 80
      banner exec bannner exec
      banner exec bannner exec Unauthorized Access Will Be

      Terminated By Unforeseen Ev
      en
      Cryptochecksum:e3f1fa8b7aa60e65abe9db8c0a7d1dbb
      : end
      pixfirewall#
      !
      !
      !
      studyrouter#sh int fa0/1
      FastEthernet0/1 is up, line protocol is down
      Hardware is AmdFE, address is 0002.fda3.e121 (bia

      0002.fda3.e121)
      Internet address is 192.168.1.1/24
      MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
      reliability 255/255, txload 1/255, rxload 1/255
      Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback

      not set
      Keepalive set (10 sec)
      Full-duplex, 100Mb/s, 100BaseTX/FX
      ARP type: ARPA, ARP Timeout 04:00:00
      Last input 00:00:00, output 00:00:02, output hang never
      Last clearing of "show interface" counters never
      Input queue: 0/75/0/0 (size/max/drops/flushes); Total

      output drops: 0
      Queueing strategy: fifo
      Output queue: 0/40 (size/max)
      5 minute input rate 1000 bits/sec, 0 packets/sec
      5 minute output rate 0 bits/sec, 0 packets/sec
      1100 packets input, 280469 bytes
      Received 251 broadcasts, 0 runts, 0 giants, 0 throttles
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
      0 watchdog
      0 input packets with dribble condition detected
      973 packets output, 421507 bytes, 0 underruns
      !
      !
      !
      studyrouter#sh runn
      Current configuration : 3121 bytes
      !
      ! No configuration change since last restart
      !
      version 12.3
      service timestamps debug datetime msec
      service timestamps log datetime msec
      service password-encryption
      !
      hostname studyrouter
      !
      boot-start-marker
      boot-end-marker
      !
      logging buffered 4096 debugging
      enable secret 5 $1$qPFa$Oj.SOSZq11B0V.ccD...p/
      enable password 7 1414130900012E2A332F
      !
      clock timezone MST 0
      no aaa new-model
      ip subnet-zero
      ip cef

      ip domain name tsignal.com
      !
      ip dhcp pool vlan2
      network 192.168.2.0 255.255.255.0
      dns-server 68.105.28.12
      default-router 192.168.2.2
      !
      ip dhcp pool MYPOOL
      network 192.168.1.0 255.255.255.0
      dns-server 68.105.28.12
      default-router 192.168.1.1
      !
      ip audit po max-events 100
      !
      !
      username tsignal32 privilege 15 password 7

      15110A0E082F2F253F34
      !
      !

      interface FastEthernet0/0
      ip address 192.168.4.223 255.255.255.0
      duplex auto
      speed auto
      !
      interface FastEthernet0/1
      ip address 192.168.5.218 255.255.255.0
      duplex auto
      speed auto
      !
      interface FastEthernet0/1.2
      encapsulation dot1Q 2
      ip address 192.168.2.2 255.255.255.0
      no snmp trap link-status
      !
      ip http server
      ip http secure-server
      ip classless
      ip route 0.0.0.0 0.0.0.0 192.168.4.222
      !
      !
      !
      snmp-server community private RW
      snmp-server enable traps snmp authentication linkdown linkup

      coldstart warmstart

      snmp-server enable traps tty
      snmp-server enable traps xgcp
      snmp-server enable traps isdn call-information
      snmp-server enable traps isdn layer2
      snmp-server enable traps isdn chan-not-avail
      snmp-server enable traps isdn ietf
      snmp-server enable traps hsrp
      snmp-server enable traps config
      snmp-server enable traps entity
      snmp-server enable traps config-copy
      snmp-server enable traps envmon
      snmp-server enable traps bgp
      snmp-server enable traps pim neighbor-change

      rp-mapping-change invalid-pim-messa
      ge
      ge
      snmp-server enable traps ipmulticast
      snmp-server enable traps msdp
      snmp-server enable traps rsvp
      snmp-server enable traps frame-relay
      snmp-server enable traps frame-relay subif
      snmp-server enable traps rtr
      snmp-server enable traps syslog
      snmp-server enable traps stun
      snmp-server enable traps dlsw
      snmp-server enable traps bstun
      snmp-server enable traps dial
      snmp-server enable traps dsp card-status
      snmp-server enable traps atm subif
      snmp-server enable traps pppoe
      snmp-server enable traps ipmobile
      snmp-server enable traps isakmp policy add
      snmp-server enable traps isakmp policy delete
      snmp-server enable traps isakmp tunnel start
      snmp-server enable traps isakmp tunnel stop
      snmp-server enable traps ipsec cryptomap add
      snmp-server enable traps ipsec cryptomap delete
      snmp-server enable traps ipsec cryptomap attach
      snmp-server enable traps ipsec cryptomap detach
      snmp-server enable traps ipsec tunnel start
      snmp-server enable traps ipsec tunnel stop
      snmp-server enable traps ipsec too-many-sas
      snmp-server enable traps voice poor-qov
      snmp-server enable traps dnis
      snmp-server host 192.168.1.1 version 2c private
      !
      !
      !
      line con 0
      password 7 06050E23404B0D181210
      line aux 0
      line vty 0 4
      password 7 104D081B0912160A1B03
      login local
      transport input telnet
      !
      ntp master
      ntp server 192.168.1.1
      !
      end

      studyrouter#

      Comment


      • #4
        Re: PIX Problem on Home LAN

        BW 100000 Kbit full duplex

        Your pix external int is set to 100 full.
        Has your router been set to this?
        Also, I assume your router interface isn't showdown?
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: PIX Problem on Home LAN

          Andy,

          My router is set to 100 full, and it isn't shutdown.

          See int fa0/1 stat below:


          studyrouter#sh int fa0/1
          FastEthernet0/1 is up, line protocol is down
          Hardware is AmdFE, address is 0002.fda3.e121 (bia 0002.fda3.e121)
          Internet address is 192.168.5.218/24
          MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
          reliability 255/255, txload 1/255, rxload 1/255
          Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set
          Keepalive set (10 sec)
          Full-duplex, 100Mb/s, 100BaseTX/FX
          ARP type: ARPA, ARP Timeout 04:00:00
          Last input 00:00:00, output 00:00:00, output hang never
          Last clearing of "show interface" counters never
          Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
          Queueing strategy: fifo
          Output queue: 0/40 (size/max)
          5 minute input rate 0 bits/sec, 0 packets/sec
          5 minute output rate 0 bits/sec, 0 packets/sec
          45771 packets input, 18682950 bytes
          Received 7642 broadcasts, 0 runts, 0 giants, 0 throttles
          0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
          0 watchdog
          0 input packets with dribble condition detected
          35430 packets output, 16766512 bytes, 0 underruns
          0 output errors, 0 collisions, 1 interface resets


          What if I add the following to the PIX:

          nat (inside) 0 192.168.5.219 255.255.255.0

          Would this possibly work?
          Last edited by tsignal32; 8th April 2008, 16:03.

          Comment


          • #6
            Re: PIX Problem on Home LAN

            And here is you're problem:
            protocol is down
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: PIX Problem on Home LAN

              Internet address is 192.168.1.1/24

              IP address 192.168.5.219, subnet mask 255.255.255.0


              Unless I am reading wrong your PIX is on a different subnet to the router. The router should be set to: 192.168.5.218 according to your route statement.


              In regards to the NAT statement
              nat (inside) 1 0.0.0.0 0.0.0.0 0 0
              The above already exists so, if anything, you should change it to
              nat (inside) 1 192.168.1.0 255.255.255.0
              because this is your internal range.
              cheers
              Andy

              Please read this before you post:


              Quis custodiet ipsos custodes?

              Comment


              • #8
                Re: PIX Problem on Home LAN

                Andy,

                Sorry - For the confusion. I remove the PIX from my LAN and reconfigured the router to its original configuration.

                I just logged into my router from work, and used the original config. I just fogot to change the router int fa0/1 to: 192.168.4.218 before I post the reply.

                tsignal32

                Comment


                • #9
                  Re: PIX Problem on Home LAN

                  Cisco 2912 Switch--->PIX--->Cisco Router--->Router(Linksys)---->Internet

                  I'm a step closer to configure my PIX to my network. I had to use crossover cables to connect the router and PIX.

                  I can ping all through to my Linksys router successfully, but my host still can not access the Internet.

                  The PIX is connect to my cisco switch via PIX INT 1 to port fa0/2 via trunk. I'm not sure if I have the

                  correct default-gateway setup on the switch. I used the PIX's IP Address 192.168.1.3.

                  I even remove the switch from the LAN, and plug my computer staight into PIX's INT 1. Unfortunately, I'm still not able to access the Internet.

                  I even entered the TCP/IP setting on my computer manually since the DHCP server didn't assign it automatically.

                  Below are my configs for my Router, PIX and Switch:


                  pixfirewall# ping 192.168.4.222 (Linksys DHCP Server)
                  192.168.4.222 response received -- 0ms
                  192.168.4.222 response received -- 0ms
                  192.168.4.222 response received -- 0ms
                  pixfirewall#
                  !
                  !
                  !
                  pixfirewall# sh ru
                  PIX Version 6.3(5)
                  interface ethernet0 100full
                  interface ethernet1 100full
                  nameif ethernet0 outside security0
                  nameif ethernet1 inside security100
                  enable password pGpYPZJxUjuCnyxs encrypted
                  passwd pGpYPZJxUjuCnyxs encrypted
                  hostname pixfirewall
                  domain-name study.com
                  fixup protocol dns maximum-length 512
                  fixup protocol ftp 21
                  fixup protocol h323 h225 1720
                  fixup protocol h323 ras 1718-1719
                  fixup protocol http 80
                  fixup protocol rsh 514
                  fixup protocol rtsp 554
                  fixup protocol sip 5060
                  fixup protocol sip udp 5060
                  fixup protocol skinny 2000
                  fixup protocol smtp 25
                  fixup protocol sqlnet 1521
                  fixup protocol tftp 69
                  names
                  pager lines 24
                  logging on
                  logging monitor debugging
                  logging buffered debugging
                  mtu outside 1500
                  mtu inside 1500
                  ip address outside 192.168.5.219 255.255.255.0
                  ip address inside 192.168.1.3 255.255.255.0
                  ip audit info action alarm
                  ip audit attack action alarm
                  pdm history enable
                  arp timeout 14400
                  global (outside) 1 interface
                  route outside 0.0.0.0 0.0.0.0 192.168.5.218 1
                  timeout xlate 3:00:00
                  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
                  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
                  timeout sip-disconnect 0:02:00 sip-invite 0:03:00
                  timeout uauth 0:05:00 absolute
                  aaa-server TACACS+ protocol tacacs+
                  aaa-server TACACS+ max-failed-attempts 3
                  aaa-server TACACS+ deadtime 10
                  aaa-server RADIUS protocol radius
                  aaa-server RADIUS max-failed-attempts 3
                  aaa-server RADIUS deadtime 10
                  aaa-server LOCAL protocol local
                  http server enable
                  no snmp-server location
                  no snmp-server contact
                  snmp-server community public
                  no snmp-server enable traps
                  floodguard enable
                  telnet 192.168.1.105 255.255.255.255 inside
                  telnet timeout 15
                  ssh timeout 5
                  console timeout 0
                  terminal width 80
                  banner exec bannner exec
                  banner exec bannner exec Unauthorized Access Will Be Terminated By Unforeseen Ev
                  en
                  Cryptochecksum:7c3654de139ab7da1d25f1c83ab95273
                  : end
                  pixfirewall#
                  !
                  !
                  !
                  ------------------------------------------------------

                  studyrouter#sh runn
                  Current configuration : 3158 bytes
                  !
                  ! Last configuration change at 18:37:18 UTC Tue Apr 8 2008
                  ! NVRAM config last updated at 13:20:33 UTC Tue Apr 8 2008 by tsignal32
                  !
                  version 12.3
                  service timestamps debug datetime msec
                  service timestamps log datetime msec
                  service password-encryption
                  !
                  hostname studyrouter
                  !
                  boot-start-marker
                  boot-end-marker
                  !
                  logging buffered 4096 debugging
                  enable secret 5 $1$qPFa$Oj.SOSZq11B0V.ccD...p/
                  enable password 7 1414130900012E2A332F
                  !
                  no aaa new-model
                  ip subnet-zero
                  ip cef
                  ip domain name tsignal.com
                  !
                  ip dhcp pool vlan2
                  network 192.168.2.0 255.255.255.0
                  dns-server 68.105.28.12
                  default-router 192.168.2.2
                  !
                  ip dhcp pool MYPOOL
                  network 192.168.1.0 255.255.255.0
                  dns-server 68.105.28.12
                  default-router 192.168.1.1
                  !
                  ip audit po max-events 100
                  !
                  !
                  interface FastEthernet0/0
                  ip address 192.168.4.223 255.255.255.0
                  duplex auto
                  speed auto
                  !
                  interface FastEthernet0/1
                  ip address 192.168.5.218 255.255.255.0
                  duplex auto
                  speed auto
                  !
                  interface FastEthernet0/1.2
                  encapsulation dot1Q 2
                  ip address 192.168.2.2 255.255.255.0
                  !
                  ip http server
                  ip http secure-server
                  ip classless
                  ip route 0.0.0.0 0.0.0.0 192.168.4.222 (Linksys Router)
                  !
                  !
                  !
                  snmp-server community private RW
                  !
                  !
                  line con 0
                  password 7 06050E23404B0D181210
                  line aux 0
                  line vty 0 4
                  password 7 104D081B0912160A1B03
                  login local
                  transport input telnet
                  !
                  !
                  end

                  studyrouter#

                  ----------------------------------------
                  Switch#sh run
                  hostname Switch
                  !
                  enable secret 5 $1$ey79$qdt7DOEmrEIgfFxrxkhDC/
                  !
                  username tsignal32 privilege 15 password 7 00071204085E0F071826
                  username tsignal33 privilege 3 password 7 134F5D310A011406242A2F6261
                  !
                  !
                  !
                  !
                  clock timezone mountain 18
                  !
                  ip subnet-zero
                  !
                  !
                  !
                  interface FastEthernet0/1
                  description Trunk to Switch
                  switchport trunk encapsulation dot1q
                  switchport mode trunk
                  interface FastEthernet0/2
                  description Trunk to PIX
                  switchport trunk encapsulation dot1q
                  switchport mode trunk
                  !
                  interface FastEthernet0/3
                  description File Server
                  switchport access vlan 2
                  spanning-tree portfast
                  !
                  interface FastEthernet0/4
                  description VOIP
                  switchport access vlan 2
                  spanning-tree portfast
                  !
                  interface FastEthernet0/5
                  switchport access vlan 2
                  spanning-tree portfast
                  !
                  interface FastEthernet0/6
                  switchport access vlan 2
                  spanning-tree portfast
                  !
                  interface FastEthernet0/7
                  spanning-tree portfast
                  !
                  interface FastEthernet0/8
                  !
                  interface FastEthernet0/9
                  !
                  interface FastEthernet0/10
                  !
                  interface FastEthernet0/11
                  switchport access vlan 2
                  spanning-tree portfast
                  !
                  interface FastEthernet0/12
                  switchport access vlan 2
                  spanning-tree portfast
                  !
                  interface VLAN1
                  ip address 192.168.1.2 255.255.255.0
                  no ip directed-broadcast
                  no ip route-cache
                  !
                  interface VLAN2
                  ip address 192.168.2.4 255.255.255.0
                  no ip directed-broadcast
                  no ip route-cache
                  shutdown
                  !
                  ip default-gateway 192.168.1.3 (PIX Interface# 1)
                  banner exec ^Canner exec
                  Unauthorized Access Will Be Terminated By Unforseen Event
                  ^C
                  !
                  line con 0
                  transport input none
                  stopbits 1
                  line vty 0 4
                  password 7 1414130900012E2A332F
                  login local
                  line vty 5 15
                  password 7 00071204085E0F071826
                  login local
                  !
                  end

                  Switch#
                  Last edited by tsignal32; 9th April 2008, 04:10.

                  Comment


                  • #10
                    Re: PIX Problem on Home LAN

                    so currently we have

                    PC, PIX, Cisco Router, Linksys Router.

                    Not sure on some of these.
                    PC has default gateway of PIX, PIX has gateway or cisco router, cisco router has gateway of linksys.

                    I can't see your NAT statement anymore in the config you have just posted so you need to add
                    "nat (inside) 1 192.168.1.0 255.255.255.0"

                    PC
                    IP?
                    |
                    192.168.1.3
                    PIX
                    192.168.5.219
                    |
                    192.168.5.218
                    Cisco Router
                    IP?
                    |
                    IP?
                    Linksys Router
                    IP?
                    | etc

                    From your PC you can ping the PIX correctly. Can you then, from the PC, ping the cisco router, if so ping the Linksys.
                    cheers
                    Andy

                    Please read this before you post:


                    Quis custodiet ipsos custodes?

                    Comment


                    • #11
                      Re: PIX Problem on Home LAN

                      Andy,

                      Thats correct on the configurations. I'm not sure what happen to my NAT (inside) statement, but I will add it when I return home. I will keep you posted on the update.

                      Thanks
                      tsignal32

                      Comment


                      • #12
                        Re: PIX Problem on Home LAN

                        In general (from memory) the only things the PIX needs is:

                        nameif e0 outside sec0
                        nameif e1 inside sec100
                        int e0 100full
                        int e1 100full
                        ip address outside 1.1.1.1 255.255.255.0
                        ip address inside 10.0.0.254 255.255.255.0
                        nat (inside) 1 10.0.0.0 255.255.255.0
                        global (outside) 1 interface
                        route outside 0 0 1.1.1.254 1

                        for basic access outbound.
                        This doesn't cover inbound initiated connections.
                        cheers
                        Andy

                        Please read this before you post:


                        Quis custodiet ipsos custodes?

                        Comment


                        • #13
                          Re: PIX Problem on Home LAN

                          Andy,

                          Thanks - For the advice. I removed the Cisco and Linksys
                          Router out of the picture until I can access the Internet through the PIX. I found some other resource to help me configure

                          my PIX. Unfortunately, I still can not access the Internet from my PC.

                          Below is how I currently have it setup:


                          PC-------->PIX-------->Cable Modem-------->Internet

                          PC's Static TCP/IP Configuration:

                          IP Address: 192.168.1.5
                          Sudnet Mask: 255.255.255.0
                          Default Gateway: 192.168.1.4

                          Preffered DNS: 68.xxx.28.12
                          Alternate DNS: 68.xxx.29.12

                          I can only ping the PIX inside interface successfully.

                          I think my problem is beween the route outeside and global (outside).
                          I changed the IPs bewwen these two several times. I know I need to overload
                          my Static Public IP Address from my COX Cable ISP, but I'm confused
                          as to where it goes into the configuration. Hypothetically, if my real
                          Public IP address is 72.175.99.191. Where would it fit into my configs?



                          pixfirewall# sh runn
                          !
                          !
                          PIX Version 6.3(5)
                          interface ethernet0 100full
                          interface ethernet1 100full
                          nameif ethernet0 outside security0
                          nameif ethernet1 inside security100
                          enable password pGpYPZJxUjuCnyxs encrypted
                          passwd pGpYPZJxUjuCnyxs encrypted
                          hostname pixfirewall
                          domain-name study.com
                          fixup protocol dns maximum-length 512
                          fixup protocol ftp 21
                          fixup protocol h323 h225 1720
                          fixup protocol h323 ras 1718-1719
                          fixup protocol http 80
                          fixup protocol rsh 514
                          fixup protocol rtsp 554
                          fixup protocol sip 5060
                          fixup protocol sip udp 5060
                          fixup protocol skinny 2000
                          fixup protocol smtp 25
                          fixup protocol sqlnet 1521
                          fixup protocol tftp 69
                          !
                          !
                          names
                          access-list acl_out permit icmp any any
                          access-list 100 permit tcp 192.168.1.0 255.255.255.0 any eq www
                          access-list 100 permit udp any any
                          pager lines 24
                          logging on
                          logging monitor debugging
                          logging buffered debugging
                          mtu outside 1500
                          mtu inside 1500
                          ip address outside 72.xxx.99.192 255.255.255.0
                          ip address inside 192.168.1.4 255.255.255.0
                          ip audit info action alarm
                          ip audit attack action alarm
                          pdm history enable
                          arp timeout 14400
                          global (outside) 1 72.xxx.99.193
                          nat (inside) 1 192.168.1.0 255.255.255.0 0 0
                          route outside 0.0.0.0 0.0.0.0 72.xxx.99.192 1
                          timeout xlate 3:00:00
                          timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
                          timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
                          !
                          !
                          timeout sip-disconnect 0:02:00 sip-invite 0:03:00
                          timeout uauth 0:05:00 absolute
                          aaa-server TACACS+ protocol tacacs+
                          aaa-server TACACS+ max-failed-attempts 3
                          aaa-server TACACS+ deadtime 10
                          aaa-server RADIUS protocol radius
                          aaa-server RADIUS max-failed-attempts 3
                          aaa-server RADIUS deadtime 10
                          aaa-server LOCAL protocol local
                          ntp server 132.163.4.101 source outside
                          http server enable
                          no snmp-server location
                          no snmp-server contact
                          snmp-server community public
                          no snmp-server enable traps
                          floodguard enable
                          telnet 192.168.1.105 255.255.255.255 inside
                          telnet timeout 15
                          ssh timeout 5
                          console timeout 0
                          terminal width 80
                          !
                          en
                          Cryptochecksum:cc075cadf15b9433ddd0ed47aaf5e55f
                          : end
                          pixfirewall#

                          Comment


                          • #14
                            Re: PIX Problem on Home LAN

                            How many public IP have you been assigned. Usually your routers IP address would only be listed as your PIX's default gateway.
                            Some cable modems pass this IP address directly to the PIX (I think NTL in the UK does or did this) and in this situation I had to setup the PIX's external IP as DHCP and collect the IP through the cable modem.

                            You can ping from the command line inthe PIX so can you ping the router or public IP addresses?

                            The global statement can usually be left saying
                            global (outside) 1 interface
                            so it uses the IP of the outside interface (obviouslt depending on what you want to do)
                            cheers
                            Andy

                            Please read this before you post:


                            Quis custodiet ipsos custodes?

                            Comment


                            • #15
                              Re: PIX Problem on Home LAN

                              Andy,

                              I have one Static public address from my ISP.

                              I finally configured my PIX on my LAN where my PC can access the Internet.

                              The only thing that I'm having problem is accessing the PIX via telnet on

                              the outside interface of the PIX. I can access it from my inside interface,

                              but I can not access from the outside.

                              I think my problem is at the PIX outside interface. For instance, I can ping

                              each interface from my PC successfully starting from my router through interface fa/01

                              of my PIX. When I try to ping fa0/0 of the PIX, the ping is unreachable.

                              However, when I ping 192.168.4.222 of my Linksys Router the ping is

                              successfull.

                              Do I need to add a static route on my PIX? For example:

                              Route inside 10.1.1.0/24 192.168.4.223

                              Below is my configuration of my LAN along with an attachment Diagram of my

                              LAN:


                              studyrouter#sh runn
                              Building configuration...

                              Current configuration : 3133 bytes
                              !
                              ! Last configuration change at 17:19:31 MST Tue Apr 15 2008
                              ! NVRAM config last updated at 16:36:11 MST Tue Apr 15 2008
                              !
                              version 12.3
                              service timestamps debug datetime msec
                              service timestamps log datetime msec
                              service password-encryption
                              !
                              hostname studyrouter
                              !
                              boot-start-marker
                              boot-end-marker
                              !
                              logging buffered 4096 debugging
                              enable secret 5 $1$qPFa$Oj.SOSZq11B0V.ccD...p/
                              enable password 7 1414130900012E2A332F
                              !
                              clock timezone MST -7
                              no aaa new-model
                              ip subnet-zero
                              ip cef
                              !
                              !
                              ip domain name tsignal.com
                              !
                              ip dhcp pool MYPOOL
                              network 10.1.2.0 255.255.255.0
                              dns-server 68.105.28.12
                              default-router 10.1.2.1
                              !
                              !
                              ip audit po max-events 100
                              !
                              !
                              username tsignal32 privilege 15 password 7 15110A0E082F2F253F34
                              !
                              !
                              interface FastEthernet0/0
                              ip address 10.1.1.2 255.255.255.0
                              duplex auto
                              speed auto
                              !
                              interface FastEthernet0/1
                              ip address 10.1.2.1 255.255.255.0
                              duplex auto
                              speed auto
                              !
                              interface FastEthernet0/1.2
                              encapsulation dot1Q 2
                              ip address 192.168.2.2 255.255.255.0
                              no snmp trap link-status
                              !
                              ip http server
                              ip http secure-server
                              ip classless
                              ip route 0.0.0.0 0.0.0.0 10.1.1.1
                              !
                              !
                              line con 0
                              password 7 06050E23404B0D181210
                              line aux 0
                              line vty 0 4
                              password 7 104D081B0912160A1B03
                              login local
                              transport input telnet
                              !
                              ntp clock-period 17180542
                              ntp server 132.163.4.101
                              !
                              end
                              !
                              studyrouter#


                              -----------------------------------------------------------------

                              Switch#sh runn
                              Building configuration...

                              Current configuration:
                              !
                              ! Last configuration change at 20:41:44 MST Tue Apr 15 2008
                              ! NVRAM config last updated at 16:43:23 MST Tue Apr 15 2008
                              !
                              version 12.0
                              no service pad
                              service timestamps debug uptime
                              service timestamps log uptime
                              service password-encryption
                              !
                              hostname Switch
                              !
                              enable secret 5 $1$ey79$qdt7DOEmrEIgfFxrxkhDC/
                              !
                              username tsignal32 privilege 15 password 7 00071204085E0F071826
                              username tsignal33 privilege 3 password 7 134F5D310A011406242A2F6261
                              !
                              !
                              clock timezone MST -7
                              !
                              ip subnet-zero
                              !
                              !
                              interface FastEthernet0/1
                              description Trunk to Study Switch
                              switchport trunk encapsulation dot1q
                              switchport mode trunk
                              !
                              interface FastEthernet0/2
                              description Trunk to Router
                              switchport trunk encapsulation dot1q
                              switchport mode trunk
                              !
                              interface FastEthernet0/3
                              description File Server
                              switchport access vlan 2
                              spanning-tree portfast
                              !
                              interface FastEthernet0/4
                              description VOIP
                              switchport access vlan 2
                              spanning-tree portfast
                              !
                              interface FastEthernet0/5
                              switchport access vlan 2
                              spanning-tree portfast
                              !
                              interface FastEthernet0/6
                              switchport access vlan 2
                              spanning-tree portfast
                              !
                              interface FastEthernet0/7
                              spanning-tree portfast
                              !
                              interface FastEthernet0/8
                              !
                              interface FastEthernet0/9
                              !
                              interface FastEthernet0/10
                              !
                              interface FastEthernet0/11
                              switchport access vlan 2
                              spanning-tree portfast
                              !
                              interface FastEthernet0/12
                              switchport access vlan 2
                              spanning-tree portfast
                              !
                              interface VLAN1
                              ip address 10.1.2.4 255.255.255.0
                              no ip directed-broadcast
                              no ip route-cache
                              !
                              interface VLAN2
                              ip address 192.168.2.4 255.255.255.0
                              no ip directed-broadcast
                              no ip route-cache
                              shutdown
                              !
                              ip default-gateway 10.1.2.1
                              snmp-server engineID local 00000009020000024BBA8B80
                              snmp-server community Switch RW
                              snmp-server chassis-id 0x0D
                              snmp-server enable traps snmp
                              snmp-server enable traps vlan-membership
                              snmp-server enable traps c2900
                              snmp-server enable traps config
                              snmp-server enable traps entity
                              snmp-server enable traps hsrp
                              snmp-server enable traps vtp
                              snmp-server enable traps cluster
                              snmp-server host 192.168.1.2 trap version 2c Switch
                              banner exec ^Canner exec
                              Unauthorized Access Will Be Terminated By Unforseen Event
                              ^C
                              !
                              line con 0
                              transport input none
                              stopbits 1
                              line vty 0 4
                              password 7 1414130900012E2A332F
                              login local
                              line vty 5 15
                              password 7 00071204085E0F071826
                              login local
                              !
                              ntp clock-period 22518131
                              ntp server 132.163.4.101
                              end

                              -------------------------------------------------------

                              pixfirewall# sh runn
                              : Saved
                              :
                              PIX Version 6.3(5)
                              interface ethernet0 100full
                              interface ethernet1 100full
                              nameif ethernet0 outside security0
                              nameif ethernet1 inside security100
                              enable password pGpYPZJxUjuCnyxs encrypted
                              passwd pGpYPZJxUjuCnyxs encrypted
                              hostname pixfirewall
                              domain-name study.com
                              fixup protocol dns maximum-length 512
                              fixup protocol ftp 21
                              fixup protocol h323 h225 1720
                              fixup protocol h323 ras 1718-1719
                              fixup protocol http 80
                              fixup protocol rsh 514
                              fixup protocol rtsp 554
                              fixup protocol sip 5060
                              fixup protocol sip udp 5060
                              fixup protocol skinny 2000
                              fixup protocol smtp 25
                              fixup protocol sqlnet 1521
                              fixup protocol tftp 69
                              names
                              access-list acl_out permit icmp any any
                              pager lines 24
                              logging on
                              logging monitor debugging
                              logging buffered debugging
                              mtu outside 1500
                              mtu inside 1500
                              ip address outside 192.168.4.223 255.255.255.0
                              ip address inside 10.1.1.1 255.255.255.0
                              ip audit info action alarm
                              ip audit attack action alarm
                              pdm history enable
                              arp timeout 14400
                              global (outside) 1 interface
                              nat (inside) 1 0.0.0.0 0.0.0.0 0 0
                              access-group acl_out in interface outside
                              route outside 0.0.0.0 0.0.0.0 192.168.4.222 1
                              route inside 10.1.2.0 255.255.255.0 10.1.1.2 1
                              timeout xlate 3:00:00
                              timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

                              1:00:00
                              timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
                              timeout sip-disconnect 0:02:00 sip-invite 0:03:00
                              timeout uauth 0:05:00 absolute
                              aaa-server TACACS+ protocol tacacs+
                              aaa-server TACACS+ max-failed-attempts 3
                              aaa-server TACACS+ deadtime 10
                              aaa-server RADIUS protocol radius
                              aaa-server RADIUS max-failed-attempts 3
                              aaa-server RADIUS deadtime 10
                              aaa-server LOCAL protocol local
                              ntp server 132.163.4.101 source outside
                              http server enable
                              no snmp-server location
                              no snmp-server contact
                              snmp-server community public
                              no snmp-server enable traps
                              floodguard enable
                              telnet 192.168.4.0 255.255.255.0 outside
                              telnet 10.1.2.4 255.255.255.255 inside
                              telnet timeout 15
                              ssh timeout 5
                              console timeout 0
                              dhcpd lease 3600
                              dhcpd ping_timeout 750
                              username tsignal32 password rtIiju8SbjA5Z/.a encrypted privilege 15
                              terminal width 80
                              banner exec Unathorized Users will be Terminated By a Unforseen Event
                              banner login Authorized Users Only
                              Cryptochecksum:1026f35a5565e6f09b84e5ec1309eaca
                              : end
                              pixfirewall#
                              Attached Files
                              Last edited by tsignal32; 18th April 2008, 15:44.

                              Comment

                              Working...
                              X