I am missing something simple (besides my brain)

[prophet30]

I have been asked to install (2) PIX firewall in an in-line configuration. We will not be utilizing the DMZ ports in this setup.
I have the basics configured for our test environment and I am utilizing one of our unused registered domain names to do a full test.
A problem arises when I add the static command show in the config below. Before I add the static command, the boxes inside of this "outer" firewall can browse the web and resolve DNS (This box will end up hosting our external DNS). As soon as I add this static route, all browsing stops because it can no longer resolve names.

What am I missing here?

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password kw1Ayt7qBiBRTjg. encrypted
passwd T./xm306w94bqD0A encrypted
hostname firewall1
domain-name brassrod.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.45.10 gateway
pager lines 24
logging on
logging buffered errors
logging trap notifications
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 216.76.3.173 255.255.255.224
ip address inside 192.168.45.1 255.255.255.0
ip address dmz 192.168.46.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location gateway 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 216.76.3.177-216.76.3.179
global (outside) 1 216.76.3.180
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 216.76.3.174 gateway netmask 255.255.255.255 0 0
conduit permit tcp host 216.76.3.174 eq domain any
conduit permit udp host 216.76.3.174 eq domain any
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 216.76.3.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http gateway 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community unused
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 0.0.0.0 0.0.0.0 inside
telnet gateway 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
terminal width 80
Cryptochecksum:9e927cad3edfab38229487b331625a3b

Any help would be most appreciated.

 

[gbiello]

For starters, lose the line:
global (outside) 1 216.76.3.177-216.76.3.179
The other global will handle all your NAT's. The second line will limit the number of machines that can browse the web. This *may* be related to your problem.

Next, try rebooting the router outside this firewall

Then do a "clear xlate" on the firewall, or save the config and reboot.

I'd also suggest replacing the conduits with access-lists. There are plenty of examples in this forum on how to do it.

Let us know how far that takes you.
-gbiello

 

[sgamer]

Sorry to be nitpicky but while I agree with gbiello, I might be inclined to clear the ARP cache on the outside router rather than reboot it. Clearing the xlate would be fine but if it were a production box I'd just clear the xlate for the local address.