- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: Can get it to work (Pix 515 behind cable modem [7:49744] posted 07/26/2002
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

Kevin- Disregard my last post... I read your message wayyy to quickly,
and interpreted it to be asking why you were getting PAT results rather
than NAT as expected.

In reflection, I realize what you are actually asking, and also realize
that the configuration is missing Access Lists or Conduits.  Without
those, you're going nowhere on the "NET".

The 515 should have come with a couple of PIX manuals (probably for 6.1,
but that's ok).  Look at the chapter on Access-lists, as this is where
Cisco is headed for primary/default config of the PIX.  It used to be
Conduits were used in place of the Access Lists, and so far, the 6.1 and
6.2 code are backwards compatible for Conduits usage.

If you are still confused after your reading, try firing up the PDM and
adding an access list for allowing ICMP echo reply packets back in the
outside interface, and ICMP any packets out the inside interface.

IIRC, the PDM will generate the explicit allow IP acl for the inside
interface by default.  Save your changes, get out of PDM, and go telnet
back to the PIX to study the changes.

At the same time, see if you can get to the net now!

Also, I'd verify you WAN configuration by issuing a Show Route command
in Exec Mode.... this will id your outside int. ip address, and its def.
gw., as well as the default route for traffic.

Sorry for the knee-jerk response of my earlier post. :(

> From: "Kevin O'Gilvie" 
> Date: 2002/07/26 Fri AM 01:20:23 EDT
> To: cisco@xxxxxxxxxxxxxx
> Subject: Can get it to work (Pix 515 behind cable modem) [7:49744]
> Dear All,
> Below is my config.
> Can someone tell me why ckients on the inside interface cant get to
> internet (browwse, ping, nothing)
> Yet show xlate shows clients Pat(ing) to outside address..
> I am so frustrated, dont know whats the issue???!!!
> PIX Version 6.2(2)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 dmz security50
> enable password 8Ry2YjIyt7RRXU24 encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> hostname pixfirewall
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> no fixup protocol smtp 25
> names
> pager lines 24
> logging on
> logging trap debugging
> logging host inside
> interface ethernet0 100full
> interface ethernet1 100full
> interface ethernet2 100full
> mtu outside 1500
> mtu inside 1500
> mtu dmz 1500
> ip address outside dhcp setroute
> ip address inside
> ip address dmz
> ip audit info action alarm
> ip audit attack action alarm
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 0 0
> timeout xlate 0:30:00
> timeout conn 0:15:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 
> 0:05:00 si
> p 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> sysopt connection permit-pptp
> no sysopt route dnat
> telnet inside
> telnet timeout 60
> ssh timeout 5
> dhcpd auto_config outside
> terminal width 80
> Cryptochecksum:0d7e04757f9b50f2a77acb163265e3ea
> : end
> [OK]
> _________________________________________________________________
> Send and receive Hotmail on your mobile device:

Message Posted at:
FAQ, list archives, and subscription info:
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx