How do I allow internet access to my network

[marflo500]

Hello All,

I am new to PIX. I am currently in the process of configuring a Cisco PIX 515e. As far as I understood the PIX is supposed to allow internet access from your inside network to outside network out of the box. But after running the Setup Wizard through the ADSM my inside machines still cannot access the internet. Below is a copy of my configuration. Let me know what I am doing wrong guys:

: Saved
:
PIX Version 7.2(3)
!
hostname pixfirewall
domain-name default.domain.invalid
enable password .79Go66qBAqhH3S4 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 101 192.168.1.1 netmask 255.255.255.0
nat (inside) 101 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.150-192.168.1.254 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e021cf5d1e390f0880888be314e1458f
: end
asdm image flash:/asdm
no asdm history enable


Thanks
Liam

 

[NetworkGhost]

You global statement is probably not correct:

global (outside) 101 192.168.1.1 netmask 255.255.255.0


Should be:

global (outside) 101 interface

http://www.wr-mem.com

 

[marflo500]

Thanks for the tip Network Ghost. But you do not necessarily have to use PAT. You could just use NAT and set a range of addresses from your outside interface.This is my global setting now:

global (outside) 1 192.168.2.14-192.168.2.253 netmask 255.255.255.0

That did the trick. Though I am not sure what limitations this will impose on my system with regards to the number of hosts that can start connections through this IP Pool.

Liam

 

[NetworkGhost]

I realize that. Wasnt sure the environment you were setting up and also you are using a private address range for your nat. You are also getting your outside IP via DHCP which in most cases is used when you wouldnt have routable address space.

"Though I am not sure what limitations this will impose on my system with regards to the number of hosts that can start connections through this IP Pool."

You could change the pool to

global (outside) 1 192.168.2.14-192.168.2.252 netmask 255.255.255.0

then add a single pat entry

global (outside) 1 192.168.2.253

This will allow the range to be used and then when full the PAT entry to be used for additional connections.

http://www.wr-mem.com

 

[marflo500]

Thanks for the tip. Will try it out. Just for the record, how many hosts would be able to start connection through the pool I configured?