Pix 501, is the internet down or is it me?

[fusionboy]

Hey Everybody,

I've recently moved and my ip address changed. I had my 501 working fine before, but it's been a while since I last messed with it, and I'm not sure how much I remember. I know I'm probably missing something stupid -- can anyone see what it is?

Config below.

Thanks!!!

nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password rMyfIJgeTw encrypted
passwd nbNIdI.2KYOU encrypted
hostname TheWall
domain-name domain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inbound permit tcp any host 69.x.x.3 eq domain
access-list inbound permit udp any host 69.x.x.3 eq domain
access-list acl_out permit icmp any any
pager lines 100
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 69.x.x.3 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.30 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 69.x.x.3 192.168.1.30 netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 255.255.255.0 69.x.x.1 1
route outside 0.0.0.0 0.0.0.0 69.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.30 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.100-192.168.1.110 inside
dhcpd dns 209.150.200.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80

 

[NetworkGhost]

Can you ping your default gateway? 69.x.x.1


This doesnt look quite right:

ip address outside 69.x.x.3 255.255.255.0

static (inside,outside) 69.x.x.3 192.168.1.30 netmask 255.255.255.255 0 0

Looks like you are trying to statically nat your external interface IP to an internal address. If this is your goal you should do port forwarding.

Since you moved have you updated your config with New IPs?

Since you moved

 

[fusionboy]

Thanks for the response!

I cannot ping the gateway. I have updated to new IPs. Any ideas?

I guess the nat thing was for the nameserver behind the firewall -- how do I do port forwarding?

 

[NetworkGhost]

Can you ping the gateway from the pix? If you cant make sure you have the correct subnet mask, make sure the correct cables are where they need to go.

 

[fusionboy]

I cannot ping the gateway. I have the correct cables and subnet mask.

So there's nothing wrong or missing from the config?

 

[NetworkGhost]

Take out the static command:
static (inside,outside) 69.x.x.3 192.168.1.30 netmask 255.255.255.255 0 0

with:

no static (inside,outside) 69.x.x.3 192.168.1.30 netmask 255.255.255.255 0 0

 

[NetworkGhost]

Also while on the Pix do a sh int and look at the outside interface to make sure its up. To ping your gateway type:

ping outside 69.x.x.1

 

[fusionboy]

Thanks again for your help, NetworkGhost.

I removed the static route as you suggested.

The interface is up and the line is up, but I just noticed that when I plug the uplink cable in to the switch, the switch's light is orange instead of green. What might that signify?

Still no response to gateway pinging (though I can ping it from other routers).

Here's my show int:

interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is x.x.f654
IP address 69.x.x.3, subnet mask 255.255.255.0
MTU 1500 bytes, BW 10000 Kbit half duplex
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/0)
output queue (curr/max blocks): hardware (0/0) software (0/0)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is x.x.f655
IP address 192.168.1.1, subnet mask 255.255.255.0
MTU 1500 bytes, BW 10000 Kbit full duplex
3 packets input, 180 bytes, 0 no buffer
Received 3 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/1)
output queue (curr/max blocks): hardware (0/0) software (0/0)

Thanks!

 

[sane79]

Hi All,
Can anyone help?
My 515E FW is able to access internet previous. It is not now!

Config
Internal IP : - 172.30.2.254

External IP : DHCP (192.168.1.7/24 GW: - 192.168.1.3)

At device 192.168.1.3, i'm able to access internet. But not in the router.

Within the route, i'm able to ping 192.168.1.3.. but nothing beyond tat.

Below is my config :- (Kindly assist)
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password HJI5Bqk8eMOnnVcq encrypted
passwd HJI5Bqk8eMOnnVcq encrypted
hostname bbsapix
domain-name bbsagroup.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service bbs tcp
description bbs access - general allowed tcp ports
port-object eq www
port-object eq pop3
port-object eq https
port-object eq smtp
port-object eq telnet
port-object eq citrix-ica
port-object eq login
port-object eq ftp
port-object range 8080 8080
object-group service bbsa-udp udp
description bbs access - VOIP allowed udp ports
port-object range 60000 60032
port-object range 1718 1719
port-object range 5060 5060
object-group service bbsa-tcp tcp
description bbs access - VOIP allowed tcp ports
port-object range 1503 1503
port-object range ldap ldap
port-object range 522 522
port-object range h323 1721
port-object range 1718 1718
port-object range 9000 9000
port-object range 1731 1732
access-list outside_access_in permit icmp any any
access-list outside_access_in remark bbs general tcp ports
access-list outside_access_in permit tcp any object-group bbs any
access-list outside_access_in remark bbsa VOIP udp ports
access-list outside_access_in permit udp any object-group bbsa-udp any
access-list outside_access_in remark bbsa VOIP tcp ports
access-list outside_access_in permit tcp any object-group bbsa-tcp any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp retry 4
ip address inside 172.30.2.254 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 172.30.2.200 255.255.255.255 inside
pdm location 172.30.9.11 255.255.255.255 inside
pdm location 172.30.9.10 255.255.255.255 inside
pdm location 172.30.9.12 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.30.2.200 255.255.255.255 inside
http 172.30.9.11 255.255.255.255 inside
http 172.30.9.10 255.255.255.255 inside
http 172.30.9.12 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 172.30.2.200 255.255.255.255 inside
telnet 172.30.9.11 255.255.255.255 inside
telnet 172.30.9.10 255.255.255.255 inside
telnet 172.30.9.12 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.30.2.100-172.30.2.200 inside
dhcpd dns 165.21.100.88 165.21.83.88
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:f2e8814942f1b8d56cb6f5089be4e2a9
: end
[OK]

Thanks.
Rdgs,
Sane

 

[NetworkGhost]

When you are ping your gateway from the pix do:

debug icmp trace

then Ping external gateway from Pix.

You should get an debugged output on the screen. Copy the results and paste them up.

Also do it from an internal workstaion while the debug is on and post the results also.

For Sane79:
TRY:
no ip address outside dhcp retry 4

ip address outside setroute dhcp

Try:

no

 

[NetworkGhost]

I mean ip address outside dhcp setroute