No internet connection

[Gutsanglory]

Hi all,

I have a dead simple setup, and yet there still must be something wrong with my Pat and default gateway setup, as the inside has no connection to the internet.

internet <---> Pix506e <---> LAN

I am able to ping the pix inside interface from a workstation.
From the pix I can ping both inside and outside interfaces.
I have proper connectivity lights.
Cannot ping through to gateway ip.

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 68.xxx.xxx.xxx 255.255.252.0
ip address inside 192.168.123.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 68.xxx.xxx.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.123.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 192.168.123.50 255.255.255.255 inside
ssh timeout 15
console timeout 0
terminal width 80
Cryptochecksum:4d9cf3f32edb3cee605d0bf203944874


Thanks for any help,

Guts

 

[AJ1982]

Your missing access-lists

Ta

AJ

===

Fatman Superstar (Andrew James)

CCNA

 

[Gutsanglory]

Im not sure which access-list I would need for basic connectivity to the internet for the inside to the outside.

Can you give me an example?

I thought inside to outside access (from high to low) was allowed whithout access-lists.

thanks,

Guts.

 

[yanks2112]

Try this:

This should allow you to access web sites on port 80 through the PIX

access-list otbound extended permit tcp any any eq 80
access-group outbound in interface inside

Note that I have a 515 so the commands may differ slightly, but this is the basic idea. Create an access-list then apply it to an interface.

Hope this helps

 

[Gutsanglory]

Hi,

I think i found the issue, I checked the arp table, and found an entry for some unknown wan ip, listed first. I think it may have gotten the ip during the startup and DHCP on the outside interface. (which I removed and set static) Anyway, I cleared the arp and all of a sudden I can ping my gateway, and I have internet excess again. Now to get pings to work correctly from inside....


Thanks for your help !!

Guts

 

[Gutsanglory]

Ok...thought I had it fixed, but when i started fresh with a "config factory-default" and set it up again, its doing the exact same thing. Everything looks like it should work, but it doesnt. I have played with it all day without success.

I noticed that when trying to do the setup from the PDM and sending the Pix new config statements, it would error out with this message:

[ERR]route outside 0 0 68.147.192.1 1
cannot add route entry. possible conflict with existing routes
[OK] hostname dv-pix
[OK] domain-name mydomain.net
[OK] interface ethernet1 100full
[OK] no dhcpd enable inside
[OK] interface ethernet0 100full
[OK] ip address outside 68.147.192.169 255.255.252.0
[OK] enable password xxxxxxxxxxxxxxx
[OK] write memory

Here is my config:

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
hostname dv-pix
domain-name mydomain.net
clock timezone MST -7
clock summer-time MDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
logging on
logging buffered notifications
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 68.147.192.169 255.255.252.0
ip address inside 192.168.123.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.123.50 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 68.147.192.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 136.159.2.2 source outside prefer
http server enable
http 192.168.123.50 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.123.50 255.255.255.255 inside
telnet timeout 15
ssh 192.168.123.50 255.255.255.255 inside
ssh timeout 15
console timeout 0
username admin password xxxxxxxxxxxx encrypted privilege 15
terminal width 80
Cryptochecksum:d23638279869519825061bb4a0d764ce

Some ping tests:

dv-pix# ping 192.168.123.1
192.168.123.1 response received -- 0ms
192.168.123.1 response received -- 0ms
192.168.123.1 response received -- 0ms
dv-pix# ping 192.168.123.50
192.168.123.50 response received -- 0ms
192.168.123.50 response received -- 0ms
192.168.123.50 response received -- 0ms
dv-pix# ping 68.147.192.169
68.147.192.169 response received -- 0ms
68.147.192.169 response received -- 0ms
68.147.192.169 response received -- 0ms
dv-pix# ping 68.147.192.1
68.147.192.1 NO response received -- 1000ms
68.147.192.1 NO response received -- 1000ms
68.147.192.1 NO response received -- 1000ms


Any thoughts????

Thanks,

Guts

 

[Gutsanglory]

Now its working again, the only thing i did was turn on debug icmp trace, and ping the gateway....and i noticed its working now.......

sheesh.....

Im baffled. (hardware??, the pix is Brand spankin new)

Guts

 

[yanks2112]

You can try doing a sh int and look at the outside interface stats, that may give you a hint as to whats happening on that interfacce