Help with PIX 515

[gwigington]

Ok I am pretty much a newbie with PIX boxes, but am fairly familiar with switches and routers and for the last two days I have racked my brain. I have a 515 that simply is getting the best of me. Here is the following config:

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto shutdown
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 inside2 security99
enable password lilX.uglbjY5lZh. encrypted
passwd 2KFQnbNIdI.2KYOU
hostname XXX
domain-name XXXX.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit icmp any any
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
pager lines 24
icmp permit any outside
icmp permit any inside
icmp permit any inside2
mtu outside 1500
mtu inside 1500
mtu inside2 1500
ip address outside 192.168.100.4 255.255.255.0
ip address inside 10.18.1.1 255.255.255.0
ip address inside2 192.168.100.5 255.255.255.128
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 101 in interface outside
access-group 101 in interface inside2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.100.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
Cryptochecksum:852a412bc587d5ce2f65c13f90151e2f

To test this thing I am plugged into my cisco 2900 which is inturn directly plugged into my cable modem. The cable modem has a IP of 192.168.100.1 with a 255.255.255.0 submask. as you can see my outside connection and inside2 connection are very similar in IPs, but I do have two different subnets. My problem is that I can ping from my pc that is directly connected to inside2, but can't ping the outside ip address. I also can't ping from the PIX itself to the cable modem (IP address 192.168.100.1). We are only using this IP scheme to test this. Once I make sure it all works I will be changing the inside IP address scheme to a complete differnt IP and subnet mask.

Could the IPs being to similar with to small a diffence in masks be my problem or am I missing something? Any help would be great.

Thanks

 

[lgarner]

Your inside2 and outside interfaces are not on different subnets. They need to be, and the subnet masks should match as well.

ip address outside 192.168.100.4 255.255.255.128
ip address inside2 192.168.100.129 255.255.255.128

would work.

Also, how's the outside addressing, exactly? You say that you have a cable modem at 192.168.100.1, and a 2900 router, and your outside interface at 192.168.100.4? Is the router bridging?

 

[gwigington]

lgarner, I changed a couple of things so that it closer to how it will actually look when it hits production. Here is the config I have.

: Written by enable_15 at 08:10:27.075 UTC Thu Jan 26 2006
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto shutdown
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 inside2 security99
enable password lilX.uglbjY5lZh. encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname XXX
domain-name XXXXXX.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit icmp any any
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
pager lines 24
icmp permit any outside
icmp permit any inside
icmp permit any inside2
mtu outside 1500
mtu inside 1500
mtu inside2 1500
ip address outside 192.168.100.3 255.255.255.0
ip address inside 10.18.1.1 255.255.255.0
ip address inside2 12.18.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 101 in interface outside
access-group 101 in interface inside2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.100.5 255.255.255.255 inside
http 12.18.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
Cryptochecksum:eada68c2b7663ac3cb9bfa3f74edb6f1


This time I also connected it directly to the cable modem. As I mentioned the cable modem has a 192.168.100.1 255.255.255.0 address. And I gave my pc which is connected directly to the outside2 port a static IP of 18.12.1.2 255.255.255.0 address. (12.18.1.0 is going to become our inside scheme) I can ping from the pix to both the modem and the PC. I can ping from the PC to the pix, but I can't ping from the pix to an outside address nor can I ping from the PC to the outide interface of the pix.

Thanks

 

[pathfndr96]

Couple of things:

interface ethernet1 auto shutdown
- This one should be obvious.

global (outside) 1 interface
- What are you trying to nat your internal ip addresses to on the outside? you don't have a global NAT/PAT

I don't see a Route Outside. From what i see you should have a
Route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

You can't ping from PC to outside interface of pix because you don't have a Route outside, and you won't be able to ping beyond outside interface because you haven't defined Global, or Static NAT/PAT.

 

[gwigington]

ethernet1 is shutdown because it isn't being used instead I am using eth2. I also added my nat statement and global statement as well as the route outside:

: Written by enable_15 at 10:14:47.128 UTC Fri Jan 27 2006palive not set55.255.09:07:29 J
PIX Version 6.3(1)plex (Full), Auto
interface ethernet0 auto55.
interface ethernet1 auto shutdown
global for this range already ex
interface ethernet2 auto
nameif ethernet0 outside security0RP Timeout 04:00:00ing outside 70.
nameif ethernet1 inside security100
static (i
nameif ethernet2 inside2 security99tion...168.100.0 ne
enable password lilX.uglbjY5lZh. encrypted 0 bits/sec, 0 packets/secee429fb6 eda5771
passwd 2KFQnbNIdI.2KYOU encrypted

hostname pstput rate 300
domain-name danbredna.comide 70.59.172.176prelay
fixup protocol ftp 21lay
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-171
fixup protocol rtsp 554
Receive
fixup protocol sip 5060ts, 0 giants, 0 throttl
fixup protocol sip udp 5060
fixup protocol skinny 2000 0 input errors, 0 CRC,
fixup protocol smtp 25gnored
fixup protocol sqlnet 1521
debug
namesebu
access-list 101 permit icmp any any inside

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq smtpets with dribble con
access-list 101 permit tcp any any eq pop3Speed (100), 100BaseTX/FX
pager lines 24
icmp permit any outside0 Add or d
icmp permit any inside
ARP type: ARP
icmp permit any inside231aa00198c1a3b44e8201e6
mtu outside 1500
mtu inside 1500
mtu inside28:
show pdm session
ip audit attack action alarm
pdm location 12.18.1.0 255.255.255.0 insideg, 1021
pdm history enableput queue 0/40, 0
arp timeout 14400 0/75, 0 drops0
global (outside) 1 192.168.100.4
nat (inside2) 1 0.0.0.0 0.0.0.0 0 0evel debugging,
static (inside,outside) 12.18.1.0 192.168.100.0 netmask 255.255.255.255 0 02.18.1.1 255.2
static (inside2,outside) 12.18.1.0 192.168.100.0 netmask 255.255.255.255 0 0 300
access-group 101 in interface inside2
route outside 0.0.0.0 0.0.0.0 192.168.100.1 255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.100.5 255.255.255.255 inside
http 12.18.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
Cryptochecksum:8ee7183039fe5bc1ee429fb6eda57711

I can now ping from the pix to external addresses but can't ping from the PC to the internet. I am guessing it is a routing issue, but can't see what the problem is.

 

[lgarner]

You can't ping to the outside interface because the Pix won't return packets on via the interface on which they were received.

After you apply the correct ACL to the outside interface, you should be able to ping the router that's connected to it. Currently, no ICMP traffic is permitted into the outside interface unless it's destined for the Pix. Add "icmp permit any outside" to overcome this.

The static statements won't do anything for you. What's the objective there? You're translating an entire network but using a host mask.

Otherwise, it's hard to tell. Looks like your config got munged up with some other text during posting.