New PIX config. Everything seems fine but no access to the internet?

[ForumKid]

I have installed a new pix config. 6.0(1) on pix 520.
My gateway is 216.91.111.161. My ip range is 216.91.111.164-174/255.255.255.240. I setup this pix and i couldnt get from dmz1 to the outside. I setup logging quickly and it just showed the breakdown translation of addresses. THere were no errors. THere is only one server on the dmz right now. Its setup like this:
ip address: 192.168.2.2
netmask: 255.255.255.0. ALso tried 255.255.255.240
gw-192.168.2.200

Here is my config..
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security10
hostname pixfirewall
domain-name mydomain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list acl_out permit ip any any
access-list in_out permit ip any any
access-list dmz1_out permit ip any any
pager lines 24
logging on
logging trap warnings
logging history warnings
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
ip address outside 216.91.111.164 255.255.255.0
ip address inside 192.168.1.200 255.255.255.0
ip address dmz1 192.168.2.200 255.255.255.0
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz1 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (dmz1,outside) 216.91.111.165 192.168.2.2 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group in_out in interface inside
access-group dmz1_out in interface dmz1
route outside 0.0.0.0 0.0.0.0 216.91.111.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
telnet timeout 60
ssh timeout 60
terminal width 80

 

[trenchard]

Hi,
You need to tell the pix how to handle translation from a higher interface(dmz) to a lower interface. You need to add a nat command for your dmz if you wish to do nat from the DMZ to the outside.

nat (dmz) 1 0 0

Or, you can tell it to do no translation when you go outside from the DMZ.

nat (dmz) 0 0 0 The first 0 say's no translation.

You should also take a look at your access-lists as they are fairly wide open.
-Rob

 

[ForumKid]

Thanks..Ill try the nat..I never had to nat the dmz before on the other pix's that I setup..But hope it works..Also the acl's are wide open just until I can make the connections. THen Ill tighten her up!

Thanks

 

[ceindaco]

Hi,

You would also want to check the subnet mask on your interface outside. I ran into some problems before when having a Class A subnet mask incorrectly configured.

 

[ForumKid]

OK..Thanks guys..One more question. Would either of these cases cause me not to be able to ping the outside interface from outside the network?

Thanks

 

[ceindaco]

Yes, and that is why you should be careful with the subnet mask. In our case since we were using a mask of 255.0.0.0 every packet coming from the same Class A as the PIX was being treated as local and the PIX was replying to them sending the data to the wire instead of the local router. Depending on the version/brand of your router this will or will not work. It worked fine for me for about 8 months until my ISP changed a router and then I lost all connectivity with this Class A address !!

Regards,

 

[ForumKid]

Well im afraid to say it, but it didnt work.

I tried pinging yahoo.com from the server on teh dmz which is:
public ip: 216.91.111.165
private: 192.168.2.2
netmask: 255.255.255.240

Im getting deny messages on my acl for outside so I know its on the internet...Just cannot access it.

Any ideas?

These are the syslog
47 laddr 192.168.2.2/1047
302006: Teardown UDP connection for faddr 209.144.50.125/14 gaddr 216.91.111.165
/1047 laddr 192.168.2.2/1047
302005: Built UDP connection for faddr 209.144.50.125/14 gaddr 216.91.111.165/10
47 laddr 192.168.2.2/1047
302006: Teardown UDP connection for faddr 209.144.50.125/13 gaddr 216.91.111.165
/1046 laddr 192.168.2.2/1046
302006: Teardown UDP connection for faddr 209.144.50.118/14 gaddr 216.91.111.165
/1047 laddr 192.168.2.2/1047
302005: Built UDP connection for faddr 209.144.50.118/14 gaddr 216.91.111.165/10
47 laddr 192.168.2.2/1047
302006: Teardown UDP connection for faddr 209.144.50.125/14 gaddr 216.91.111.165
/1047 laddr 192.168.2.2/1047
302005: Built UDP connection for faddr 209.144.50.125/14 gaddr 216.91.111.165/10
47 laddr 192.168.2.2/1047
302006: Teardown UDP connection for faddr 209.144.50.118/13 gaddr 216.91.111.165
/1046 laddr 192.168.2.2/1046

 

[ForumKid]

This is my arp and xlate if it might help;
pixfirewall(config)# show arp
outside 216.91.111.162 0004.1104.c480
outside 216.91.111.166 0003.ba14.bda1
outside 216.91.111.165 0003.ba14.b683
pixfirewall(config)# show x
7 in use, 8 most used
Global 216.91.111.172 Local 192.168.2.9 static
Global 216.91.111.169 Local 192.168.2.6 static
Global 216.91.111.168 Local 192.168.2.5 static
Global 216.91.111.171 Local 192.168.2.8 static
Global 216.91.111.170 Local 192.168.2.7 static
Global 216.91.111.165 Local 192.168.2.2 static
Global 216.91.111.167 Local 192.168.2.3 static
pixfirewall(config)#

 

[yizhar]

HI.

> I tried pinging yahoo.com
Try to test with TCP (http/telnet/ftp/etc...) - not only ping.

Please describe the physical cabling of your network.
Each pix interface should be connected to different physical segment.



Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[havanajoe]

I believe that all you are missing is the route statements. Try adding...

route inside 192.168.1.0 255.255.255.0
route dmz 192.168.2.0 255.255.255.0

Since the connections are going through everything is setup fine, however the packets are being dropped because the PIX doesn't know what to do with them when they return.

 

[ForumKid]

Hello,

Thanks for the replies.. I will try the route commands. Although this is only the 2nd pix i have setup. The first one didnt have the route statements for the dmz and it works great.

Otherwise the physical cabling is like this:
Cable from router comes to outside interface. We are not currently using the inside interface. There is a cable plugged into the dmz(3rd interface) and it goes to a switch. All the servers on the dmz are also plugged into the switch. The static mappings tell the connection where to go. Im lost. I think this should work. WOrks fine without the pix in the picture..

 

[yizhar]

HI.

> ... All the servers on the dmz are also plugged into the switch ...
That's OK. Just to be sure - the servers connect to the switch only with a single NIC. Right?

> WOrks fine without the pix in the picture
When you switch from direct connection without the pix, to a network with the pix in the middle, you should also reboot the routers to clear ARP cache, and not only change ip addressing.
You should also check the router configuration, and make sure that the router does not have any NAT configuration.
Check also ip addressing and routing on the router.


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[ForumKid]

Hello,

Thanks so much for the advice. The router WAS NOT rebooted. Ill try it out. ALso the servers connect with only a single NIC. This stuff is in a datacenter and they handle the router. Ill make sure there is no NAT configuration on the router.

THanks..Ill be trying this on this evening.