New PIX 515E no info passing anywhere 1

[dam9178]

Brilliant People Please Help.

My boss has asked my to get setup a PIX515E. I have never seen one before. I think I have read possibly everything there is to read and just can not figure out what to do.

My setup is as basic as possible. My computer on the inside of the firewall and the network on the outside.
I am just trying to access ANYTHING through the firewall. I can't see the network (IP's 147.58.31.2-147.58.31.254), the web IP 147.58.31.1 and the DNS server on 147.58.25.5.

I can see everything through pings but i can not get any information to pass either direction.


PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list ping permit icmp any any
pager lines 24
icmp permit any outside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 147.58.31.4 255.255.255.0
ip address inside 10.10.10.1 255.255.255.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location 10.10.10.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group ping in interface outside
route outside 0.0.0.0 0.0.0.0 147.58.31.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.10.10.1 cdisk
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:fefc4d657aaf2670de0537ea8b2400d4
: end
[OK]

 

[baddos]

Are your interfaces up?

 

[dam9178]

"Are my interfaces up?" I assume that you are refering to the firewall interfaces. If they were down (or not up), wouldn't the only two interfaces that I am using have 'shutdown' beside them.

i.e. interface ethernet1 100full
interface ethernet2 auto shutdown

Would the pings work if the interfaces were not up?

 

[baddos]

ethernet 0 should be the outside interface, and ethernet 1 should be inside. They should both be up. The other interfaces would be used for dmzs or failover.

 

[dam9178]

That's how it is set up. I just can't see anything from the inside besides ping responses. What am I missing? I just can't figure this thing out!?!

 

[unixrocks]

Try running


debug icmp enable

This will show a load of info if you plug a laptop or something into to the console.

Also check to see if the interfaces are up by running


sh int

You also have no static (inside,outside) routes enabled.

 

[dam9178]

O-kay, here is what I have. The outside (ehternet0) and inside (ethernet1) interfaces are up.

I have used the icmp debug stuff and ping around to see if I have connectivity. here is what I have

one computer on inside of firewall interface (10.10.10.10)
inside firewall interface (10.10.10.1)
outside firewall interface (147.58.31.4)
outside network connected to outsoide of firewall. i.e. main servers (147.58.31.53, 147.58.31.35, internet connection (147.58.31.1), webpage (147.58.31.15)


when i ping around i get good connections as you can see below (responses from console of firewall):


from inside computer (10.10.10.10) to firewall inside ethernet1 (10.10.10.1)---
pixfirewall(config)# 34: ICMP type 240 (code 146) 10.10.10.10 > 10.10.10.1
35: ICMP echo reply (len 32 id 2 seq 20480) 10.10.10.1 > 10.10.10.10
36: ICMP type 240 (code 146) 10.10.10.10 > 10.10.10.1
37: ICMP echo reply (len 32 id 2 seq 20736) 10.10.10.1 > 10.10.10.10
38: ICMP type 240 (code 146) 10.10.10.10 > 10.10.10.1
39: ICMP echo reply (len 32 id 2 seq 20992) 10.10.10.1 > 10.10.10.10
40: ICMP type 240 (code 146) 10.10.10.10 > 10.10.10.1
41: ICMP echo reply (len 32 id 2 seq 21248) 10.10.10.1 > 10.10.10.10



from firewall inside interface (10.10.10.1) to inside computer on ethernet1 (10.10.10.1)-----
pixfirewall(config)# 34: ICMP type 240 (code 146) 10.10.10.10 > 10.10.10.1
35: ICMP echo reply (len 32 id 2 seq 20480) 10.10.10.1 > 10.10.10.10
36: ICMP type 240 (code 146) 10.10.10.10 > 10.10.10.1
37: ICMP echo reply (len 32 id 2 seq 20736) 10.10.10.1 > 10.10.10.10
38: ICMP type 240 (code 146) 10.10.10.10 > 10.10.10.1
39: ICMP echo reply (len 32 id 2 seq 20992) 10.10.10.1 > 10.10.10.10
40: ICMP type 240 (code 146) 10.10.10.10 > 10.10.10.1
41: ICMP echo reply (len 32 id 2 seq 21248) 10.10.10.1 > 10.10.10.10
ping 10.10.10.10
42: ICMP type 240 (code 146) 10.10.10.10 > 10.10.10.1
10.10.10.10 response received -- 0ms
43: ICMP type 240 (code 146) 10.10.10.10 > 10.10.10.1
10.10.10.10 response received -- 0ms
44: ICMP type 240 (code 146) 10.10.10.10 > 10.10.10.1
10.10.10.10 response received -- 0ms



from outside servers (147.58.31.53, 147.58.31.35) to outside ethernet0 (147.58.31.4)-------

pixfirewall(config)# 61: ICMP type 184 (code 15) 147.58.31.35 > 147.58.31.4
62: ICMP echo reply (len 32 id 2 seq 26368) 147.58.31.4 > 147.58.31.35
63: ICMP type 184 (code 15) 147.58.31.35 > 147.58.31.4
64: ICMP echo reply (len 32 id 2 seq 26624) 147.58.31.4 > 147.58.31.35
65: ICMP type 184 (code 15) 147.58.31.35 > 147.58.31.4
66: ICMP echo reply (len 32 id 2 seq 26880) 147.58.31.4 > 147.58.31.35
67: ICMP type 184 (code 15) 147.58.31.35 > 147.58.31.4
68: ICMP echo reply (len 32 id 2 seq 27136) 147.58.31.4 > 147.58.31.35

pixfirewall(config)# 69: ICMP type 184 (code 15) 147.58.31.53 > 147.58.31.4
70: ICMP echo reply (len 32 id 2 seq 2560) 147.58.31.4 > 147.58.31.53
71: ICMP type 184 (code 15) 147.58.31.53 > 147.58.31.4
72: ICMP echo reply (len 32 id 2 seq 2816) 147.58.31.4 > 147.58.31.53
73: ICMP type 184 (code 15) 147.58.31.53 > 147.58.31.4
74: ICMP echo reply (len 32 id 2 seq 3072) 147.58.31.4 > 147.58.31.53
75: ICMP type 184 (code 15) 147.58.31.53 > 147.58.31.4
76: ICMP echo reply (len 32 id 2 seq 3328) 147.58.31.4 > 147.58.31.53




and finally from outside ehternet0 (147.58.31.4) to servers (147.58.31.35, 147.58.31.53), webpage (147.58.31.15) and internet connection (147.58.31.1)-----
pixfirewall(config)# ping 147.58.31.35
95: ICMP type 184 (code 15) 147.58.31.35 > 147.58.31.4
147.58.31.35 response received -- 0ms
96: ICMP type 184 (code 15) 147.58.31.35 > 147.58.31.4
147.58.31.35 response received -- 0ms
97: ICMP type 184 (code 15) 147.58.31.35 > 147.58.31.4
147.58.31.35 response received -- 0ms
pixfirewall(config)#
pixfirewall(config)#
pixfirewall(config)# ping 147.58.31.53
98: ICMP type 184 (code 15) 147.58.31.53 > 147.58.31.4
147.58.31.53 response received -- 0ms
99: ICMP type 184 (code 15) 147.58.31.53 > 147.58.31.4
147.58.31.53 response received -- 0ms
100: ICMP type 184 (code 15) 147.58.31.53 > 147.58.31.4
147.58.31.53 response received -- 0ms
pixfirewall(config)#
pixfirewall(config)#
pixfirewall(config)#pixfirewall(config)# ping 147.58.31.15
101: ICMP type 184 (code 15) 147.58.31.15 > 147.58.31.4
147.58.31.15 response received -- 0ms
102: ICMP type 184 (code 15) 147.58.31.15 > 147.58.31.4
147.58.31.15 response received -- 0ms
103: ICMP type 184 (code 15) 147.58.31.15 > 147.58.31.4
147.58.31.15 response received -- 0ms
pixfirewall(config)#
pixfirewall(config)#
pixfirewall(config)# ping 147.58.31.1
104: ICMP type 184 (code 15) 147.58.31.1 > 147.58.31.4
147.58.31.1 response received -- 0ms
105: ICMP type 184 (code 15) 147.58.31.1 > 147.58.31.4
147.58.31.1 response received -- 0ms
106: ICMP type 184 (code 15) 147.58.31.1 > 147.58.31.4
147.58.31.1 response received -- 0ms
pixfirewall(config)#





Since I get ping responses then this means that I have good connectivity to what I need to see (the network and internet), Correct?


Now, why can I not see the internet or the servers or website from the inside (10.10.10.10) computer?

Ans as for the static command, isn't it for incoming traffic. Shouldn't I be able to see the network and internet from the inside without the static command.

(I still tried a variety of static commands and still couldn't get to the internet)


Why can't I see the internet from my inside (10.10.10.10) computer?????????? This thing is driving me nUTZ

 

[watchguardmonkey]

Emmm looks like you need to setup either an outbound statement or na access-list.
ie,
outbound 1 deny 0.0.0.0 0.0.0.0 0 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 0 udp
outbound 3 permit 164.134.161.241 255.255.255.255 53 udp
outbound 3 permit 164.134.161.241 255.255.255.255 80 tcp
outbound 3 permit 164.134.161.241 255.255.255.255 443 tcp
outbound 4 permit 164.134.163.215 255.255.255.255 80 tcp
outbound 4 permit 164.134.163.215 255.255.255.255 443 tcp
outbound 4 permit 164.134.163.215 255.255.255.255 53 udp
outbound 4 permit 164.134.163.215 255.255.255.255 21 tcp
outbound 4 permit 164.134.163.215 255.255.255.255 389 tcp
outbound 5 permit 164.134.161.8 255.255.255.255 80 tcp
outbound 5 permit 164.134.161.8 255.255.255.255 53 udp
outbound 5 permit 164.134.161.8 255.255.255.255 21 tcp
outbound 5 permit 164.134.161.8 255.255.255.255 443 tcp
outbound 5 permit 164.134.161.8 255.255.255.255 23 tcp
outbound 5 permit 164.134.161.8 255.255.255.255 8080 tcp
outbound 5 permit 164.134.161.8 255.255.255.255 25 tcp
outbound 5 permit 164.134.161.8 255.255.255.255 43 tcp
outbound 5 permit 164.134.161.8 255.255.255.255 7000 tcp
outbound 5 permit 164.134.161.8 255.255.255.255 10403 tcp
outbound 5 permit 164.134.161.8 255.255.255.255 3389 tcp

hope this helps

 

[baddos]

Please post a "show route".... Also make sure there are no hosts trying to use 147.58.31.4. It looks like there might be and IP address conflict.

 

[dam9178]

I thought that I could gain access to the outside (network & internet) without using static or outbound. I was under the assumption that this is what nat, global & route allowed for. Do I need to use 'static' for inside to outside access?


Also, IP conflict might be right. I show the following:

pixfirewall(config)# show route
outside 0.0.0.0 0.0.0.0 147.58.31.1 1 OTHER static
inside 10.10.10.0 255.255.255.0 10.10.10.1 1 CONNECT static
outside 147.58.31.0 255.255.255.0 147.58.31.4 1 CONNECT static
pixfirewall(config)#


I tried to delete all the ones except the first one but I got the following:

pixfirewall(config)# no route outside 147.58.31.1 255.255.255.0 147.58.31.4
It is not allowed to delete directly connected routes


I have also tried to remove these routes through PDM and was unsuccessful.

 

[dam9178]

The last was kinda stupid i guess. The last two routes are added by the PIX when I set pat and global.

 

[baddos]

You don't need a static or any outbounds or acls to get your PIX working. It sounds like an IP address conflict to me. Hop onto your servers after you try to ping the pix, and do a "arp -a" from a DOS prompt. Make sure the MAC address for your PIX's IP address is the correct MAC address.

 

[unixrocks]

I am intrigued by all this. What exactly is the firewall going into? Do you have like a leased line? Do you have an outside IP address (Class C).

 

[dam9178]

Basic Layout (I think)

DoD intra/internet. We are a subsection of an Army depot. Purpose of the firewall will be to Get us more 'internal' IP addresses (we are just about out) and keep the depot out of our systems (big brother).

The public addresses that we are assigned is: 147.58.31.2-147.58.31.255. Our internet connection is on 147.58.31.1 (fiber) and is supplied through the depot.

We have 8 servers. We have a couple hundred computer ports throughout the building. Everything is patched into a Cabletron (old) gigabit switch.

The firewall is hooked up to one of those ports (outside0). And I just have a Dell Preceision 650 (XP) hooked up to the inside (ethernet1) of the firewall.

My assignment was to set up the firewall so that I could see the network and the internet from my one computer, just to get the basics of the thing working.

 

[dam9178]

For the MAC address thing, I have no idea what that is and my books tell me very little. But here is what I did and the results.

From server,
C:\WINDOWS\SYSTEM32>arp -a

Interface: 147.58.31.35 --- 0x2
Internet Address Physical Address Type
147.58.31.4 00-0d-bd-29-72-94 dynamic
147.58.31.35 00-06-5b-88-26-d0 dynamic
147.58.31.53 aa-00-04-00-19-08 dynamic
147.58.31.98 00-04-dd-97-0f-42 dynamic
147.58.31.129 00-01-e6-87-58-5f dynamic

From the firewall console I did show version
0: ethernet0: address is 000d.bd29.7294, irq 10
1: ethernet1: address is 000d.bd29.7295, irq 11
2: ethernet2: address is 0005.5d18.4894, irq 11
3: ethernet3: address is 0005.5d18.4895, irq 10
4: ethernet4: address is 0005.5d18.4896, irq 9
5: ethernet5: address is 0005.5d18.4897, irq 5

To me it looks like the server and the firewall recognize the firewalls outside physical address as being the same. (If I read this right). Its IP is 147.58.31.4 and physical address is 000d.bd29.7294.

 

[dam9178]

How about my testing procedure? The way that I am testing to see if I can access the outside is a couple ways:

1) Trying to open Google or one of our websites (147.58.31.15) with internet explorer.

2) Trying to see the network through "my network places".

Is there a better way to test to see if I can access the outside?

Could it possibly be some setting on Internet Explorer?

I am amazed by all this. I KNOW cisco is really complicated stuff. But I am also under the impression that for what I am trying to accomplish that all i need is a handfull of coommands. But every variation that I have tried has failed.

 

[baddos]

You won't be able to do network browsing without a WINS server through the firewall. You may not have DNS servers assigned to your NIC card, but in any case you should be able to access your webserver by it's IP address instead of it's fqdn.

 

[dam9178]

So with the configuration that I have I should be able to access the webserver?

I don't have WINS set up yet, but it will get done now (that helps alot!!).

What is meant by "You may not have DNS servers assigned to your NIC card"? Not to sound dinggy but what is the NIC card? and how do i assign my dns server to it?

 

[baddos]

NIC (Network Interface Card) is your ethernet adapter in your computer. In your TCP/IP configuration, be sure you are assigning the correct IPs.

 

[guysmyley]

I think if you are trying to access a public IP (147.x.x.x) on the internet with a private IP (10.x.x.x) the address needs to be natted to a public IP or it wont be routed over the internet. I think you can use a
static (inside,outside) public IP private IP
or
global nat combonation of commands.