General PIX question

[30362]

We have just moved from a single flat network to a segmented network with multiple vlans, previously everyone on the segment was able to access the internet without needing to configure a proxy server however now it seems that no machines, except those in the same VLAN as my PIX, can access the internet without proxy settings.

Can anyone tell me how I should configure the PIX, if it is possible, so that any hosts on my internal LAN, regardless of their VLAN, would be able to use the internet via the PIX so I can eliminate MS proxy altogether.

Thanks in advance...

 

[ChrisAC]

Do you understand the concept of VLAN's?

<quote>no machines, except those in the same VLAN as my PIX, can access the internet without proxy settings</quote>

This is because there is no routing between the VLAN's and the Pix doesn't know about those other VLAN's/network. You need to set up routing so that all other VLAN's can route to the VLAN with the Pix and the Pix has routes to all other VLAN's.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[30362]

I do understand VLANs, I have my L3 doing all the routing between my VLANs now, which works fine since my users are on 3 different VLANs and my servers on a 4th, and I have a route statement on my PIX for the entire 10. class A which summarizes my entire network but still no luck...

 

[ChrisAC]

So can the users ping the internal address of the Pix? Can they ping the router beyond the Pix?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[30362]

Users can ping the internet address of the PIX without a problem, they can't ping the router but that is the same for all the hosts, I know the route is correct on the PIX because I can ping any host on any VLAN from the PIX. I figured it has to be a setting somewhere but can't seem to find it.

 

[308win]

Does your L3 switch have a default route statement to the pix? Sounds like it is missing. Especially if you can ping devices on directly attached networks, but not beyond.

Or have you configured nat 0 for those new LAN's and they are getting out to the internet as private IP addresses.

 

[30362]

I have the route in my L3, I think the nat0 config might be just the thing, where would I find that? Is that the HOSTS/NETWORKS tab in PDM?

 

[ChrisAC]

Can you post the config?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[30362]

Building configuration...
: Saved
:
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname Firewall
domain-name microsoft.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
name 208.252.159.21 StateAuto2
name 208.252.159.20 StateAuto
name 199.222.4.91 Hartford
name 1.0.1.4 M5
name 1.0.1.32 MEX2
name 1.0.1.8 MAIL
name 1.0.1.28 MAIL-GATE
name 1.0.1.1 Servers
name 1.0.1.3 Floor3
name 1.0.1.11 Floor1
name 1.0.1.2 Floor2
name 1.0.1.4 Basement
name 1.0.0.0 Network
pager lines 24
logging timestamp
logging trap informational
logging history informational
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 2.3.5.6 255.255.255.248
ip address inside 1.0.0.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location StateAuto 255.255.255.255 outside
pdm location StateAuto2 255.255.255.255 outside
pdm location Hartford 255.255.255.255 outside
pdm location Servers 255.255.255.0 inside
pdm location Basement 255.255.255.0 inside
pdm location MAIL 255.255.255.255 inside
pdm location MEX2 255.255.255.255 inside
pdm location M5 255.255.255.255 inside
pdm location MAIL-GATE 255.255.255.255 inside
pdm location Network 255.0.0.0 inside
pdm location Floor3 255.255.255.0 inside
pdm location Floor1 255.255.255.0 inside
pdm location Floor2 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 2.3.5.5 MAIL netmask 255.255.255.255 0 0
static (inside,outside) 2.3.5.4 MEX2 netmask 255.255.255.255 0 0
static (inside,outside) 2.3.5.3 M5 netmask 255.255.255.255 0 0
static (inside,outside) 2.3.5.2 MAIL-GATE netmask 255.255.255.255 0 0
conduit permit udp any eq domain any
conduit permit tcp any eq domain any
conduit permit tcp any host StateAuto range 1100 1101
conduit permit tcp any host StateAuto range 18000 18100
conduit permit tcp any host StateAuto2 range 1100 1101
conduit permit tcp any host StateAuto2 range 18000 18100
conduit permit tcp any host Hartford eq 8999
conduit permit tcp any host Hartford range 9923 9925
conduit permit tcp any any eq 3101
conduit permit tcp host 1.2.3.4 eq smtp any
conduit permit tcp host 1.2.3.5 eq

http://www any

conduit permit tcp host 1.2.3.6 eq 1494 any
conduit permit tcp host 1.2.3.7 eq 1494 any
route outside 0.0.0.0 0.0.0.0 209.83.85.161 1
route inside Network 255.0.0.0 1.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http OLD 255.255.252.0 inside
http Network 255.255.255.0 inside
http Basement 255.255.255.0 inside
http Servers 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet Network 255.255.255.0 inside
telnet Basement 255.255.255.0 inside
telnet Servers 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
: end
[OK]

 

[tonymullen]

I may be wrong here because I'm not used to using conduits. You have a conduit permit tcp host 1.2.3.5 eq

http://www any.

As the pix has an implicit deny then I think this may be the route of the problem (I'm guessing that 1.2.3.5 is you proxy server).

to test this, add a conduit permit inside.network eq

http://www any

I'd strongly suggest you switch to using access lists (a conduit applies to all interfaces but an access list just applies to the one it is assigned to).


Hope this helps.

Tony