Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

General PIX question

Status
Not open for further replies.
30362

30362

MIS
Joined
Feb 18, 2003
Messages
205
Location
US
We have just moved from a single flat network to a segmented network with multiple vlans, previously everyone on the segment was able to access the internet without needing to configure a proxy server however now it seems that no machines, except those in the same VLAN as my PIX, can access the internet without proxy settings.

Can anyone tell me how I should configure the PIX, if it is possible, so that any hosts on my internal LAN, regardless of their VLAN, would be able to use the internet via the PIX so I can eliminate MS proxy altogether.

Thanks in advance...
 
Sort by date Sort by votes
Do you understand the concept of VLAN's?

<quote>no machines, except those in the same VLAN as my PIX, can access the internet without proxy settings</quote>

This is because there is no routing between the VLAN's and the Pix doesn't know about those other VLAN's/network. You need to set up routing so that all other VLAN's can route to the VLAN with the Pix and the Pix has routes to all other VLAN's.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
I do understand VLANs, I have my L3 doing all the routing between my VLANs now, which works fine since my users are on 3 different VLANs and my servers on a 4th, and I have a route statement on my PIX for the entire 10. class A which summarizes my entire network but still no luck...

 
Upvote 0 Downvote
So can the users ping the internal address of the Pix? Can they ping the router beyond the Pix?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Users can ping the internet address of the PIX without a problem, they can't ping the router but that is the same for all the hosts, I know the route is correct on the PIX because I can ping any host on any VLAN from the PIX. I figured it has to be a setting somewhere but can't seem to find it.

 
Upvote 0 Downvote
Does your L3 switch have a default route statement to the pix? Sounds like it is missing. Especially if you can ping devices on directly attached networks, but not beyond.

Or have you configured nat 0 for those new LAN's and they are getting out to the internet as private IP addresses.

 
Upvote 0 Downvote
I have the route in my L3, I think the nat0 config might be just the thing, where would I find that? Is that the HOSTS/NETWORKS tab in PDM?
 
Upvote 0 Downvote
Can you post the config?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Building configuration...
: Saved
:
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname Firewall
domain-name microsoft.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
name 208.252.159.21 StateAuto2
name 208.252.159.20 StateAuto
name 199.222.4.91 Hartford
name 1.0.1.4 M5
name 1.0.1.32 MEX2
name 1.0.1.8 MAIL
name 1.0.1.28 MAIL-GATE
name 1.0.1.1 Servers
name 1.0.1.3 Floor3
name 1.0.1.11 Floor1
name 1.0.1.2 Floor2
name 1.0.1.4 Basement
name 1.0.0.0 Network
pager lines 24
logging timestamp
logging trap informational
logging history informational
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 2.3.5.6 255.255.255.248
ip address inside 1.0.0.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location StateAuto 255.255.255.255 outside
pdm location StateAuto2 255.255.255.255 outside
pdm location Hartford 255.255.255.255 outside
pdm location Servers 255.255.255.0 inside
pdm location Basement 255.255.255.0 inside
pdm location MAIL 255.255.255.255 inside
pdm location MEX2 255.255.255.255 inside
pdm location M5 255.255.255.255 inside
pdm location MAIL-GATE 255.255.255.255 inside
pdm location Network 255.0.0.0 inside
pdm location Floor3 255.255.255.0 inside
pdm location Floor1 255.255.255.0 inside
pdm location Floor2 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 2.3.5.5 MAIL netmask 255.255.255.255 0 0
static (inside,outside) 2.3.5.4 MEX2 netmask 255.255.255.255 0 0
static (inside,outside) 2.3.5.3 M5 netmask 255.255.255.255 0 0
static (inside,outside) 2.3.5.2 MAIL-GATE netmask 255.255.255.255 0 0
conduit permit udp any eq domain any
conduit permit tcp any eq domain any
conduit permit tcp any host StateAuto range 1100 1101
conduit permit tcp any host StateAuto range 18000 18100
conduit permit tcp any host StateAuto2 range 1100 1101
conduit permit tcp any host StateAuto2 range 18000 18100
conduit permit tcp any host Hartford eq 8999
conduit permit tcp any host Hartford range 9923 9925
conduit permit tcp any any eq 3101
conduit permit tcp host 1.2.3.4 eq smtp any
conduit permit tcp host 1.2.3.5 eq conduit permit tcp host 1.2.3.6 eq 1494 any
conduit permit tcp host 1.2.3.7 eq 1494 any
route outside 0.0.0.0 0.0.0.0 209.83.85.161 1
route inside Network 255.0.0.0 1.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http OLD 255.255.252.0 inside
http Network 255.255.255.0 inside
http Basement 255.255.255.0 inside
http Servers 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet Network 255.255.255.0 inside
telnet Basement 255.255.255.0 inside
telnet Servers 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
: end
[OK]
 
Upvote 0 Downvote
I may be wrong here because I'm not used to using conduits. You have a conduit permit tcp host 1.2.3.5 eq As the pix has an implicit deny then I think this may be the route of the problem (I'm guessing that 1.2.3.5 is you proxy server).

to test this, add a conduit permit inside.network eq
I'd strongly suggest you switch to using access lists (a conduit applies to all interfaces but an access list just applies to the one it is assigned to).


Hope this helps.

Tony
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question Question
Cisco ASA - VPN Question
Replies
6
Views
1K
intel233
intel233
xwray
  • Locked
  • Question Question
PIX 501 DHCP Server function
Replies
0
Views
264
xwray
xwray
brownmab53
  • Locked
  • Question Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
318
brownmab53
brownmab53
NoCoolHandle
  • Locked
  • Question Question
TLS 1.0 vrs TLS 1.1 vrs 1.2 connection strategy question
Replies
1
Views
295
ChrisHirst
ChrisHirst
quazimotto
  • Locked
  • Question Question
Correct Upgrade Path for PIX
Replies
7
Views
610
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top