Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

newbie alert: swapping firewall stops traffic

Status
Not open for further replies.
Dyehouse1

Dyehouse1

MIS
Sep 24, 2002
43
GB
Just swapped out an older Unix style firewall for a PIX 515 and having plugged it into our 1601 router we can't get anything to go out or come in from the internet. I know its not the firewall because I can ping the router fine and get a reply but pinging out further onto the internet nothing comes back. Anyone seen this before?

BTW: All the IP on the firewall etc. are the same so the routes should just work shouldn't they?
 
Sort by date Sort by votes
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10

names
name 192.168.1.4 name 192.168.1.3 ftp.test.com
name 192.168.1.2 support.test.com
name 192.168.1.6 is3.test.com
name xxx.xxx.xxx.0 PAS_IP_Group
name 10.0.0.0 Internal_Network
name 10.3.3.13 PRO
name xxx.xxx.xxx.18 EXT
name 10.250.250.250 Bills_PC
name 10.99.99.7 Exchange
name 10.99.99.3 RAS_Server

access-list 50 permit tcp any host EXT eq 1723
access-list 50 permit tcp any host EXT eq smtp
access-list 50 permit tcp any host EXT eq 443
access-list 50 permit tcp any host xxx.xxx.xxx.19 eq ftp
access-list 50 permit tcp any host EXT eq pop3
access-list 50 permit tcp any host EXT eq 143
access-list 50 permit tcp any host xxx.xxx.xxx.20 eq www
access-list 50 permit tcp any host xxx.xxx.xxx.22 eq www
access-list 50 permit tcp any host xxx.xxx.xxx.22 eq 98
access-list 50 permit icmp any any

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto

mtu outside 1500
mtu inside 1500
mtu DMZ 1500

ip address outside EXT 255.255.255.0
ip address inside 10.99.99.13 255.0.0.0
ip address DMZ 192.168.0.13 255.255.0.0
ip audit info action alarm
ip audit attack action alarm

pdm location support.test.com 255.255.255.255 DMZ
pdm location ftp.test.com 255.255.255.255 DMZ
pdm location 255.255.255.255 DMZ
pdm location editor.test.com 255.255.255.255 DMZ
pdm location is3.test.com 255.255.255.255 DMZ
pdm location PRO 255.255.255.255 inside
pdm location Bills_PC 255.255.255.255 inside
pdm location EXT 255.255.255.255 outside
pdm location RAS_Server 255.255.255.255 inside
pdm location Exchange 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 DMZ
pdm history enable

arp timeout 14400
global (outside) 1 xxx.xxx.xxx.19-xxx.xxx.xxx.22 netmask 255.255.255.240
global (outside) 1 xxx.xxx.xxx.30
global (DMZ) 1 192.168.0.250-192.168.0.255 netmask 255.255.0.0
nat (inside) 1 Internal_Network 255.0.0.0 0 0
nat (DMZ) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) tcp EXT smtp Exchange smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp EXT 1723 RAS_Server 1723 netmask 255.255.255.255 0 0
static (inside,outside) tcp EXT pop3 Exchange pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp EXT 143 Exchange 143 netmask 255.255.255.255 0 0
static (inside,outside) tcp EXT 433 Exchange 433 netmask 255.255.255.255 0 0
static (DMZ,outside) tcp xxx.xxx.xxx.19 ftp ftp.test.com ftp netmask 255.255.255.255 0 0
static (DMZ,outside) tcp xxx.xxx.xxx.20 255.255.255.255 0 0
static (DMZ,outside) tcp xxx.xxx.xxx.22 255.255.255.255 0 0

access-group 50 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:15:00 absolute uauth 0:05:00 inactivity
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http Internal_Network 255.0.0.0 inside
http Bills_PC 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside Bills_PC /PIX
floodguard enable
no sysopt route dnat
telnet Bills_PC 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80

I didnt know which bits you didnt need so its all there except the IP addresses.
xxx.xxx.xxx.17 = router
xxx.xxx.xxx.18 = ext on firewall

many thanks
 
Upvote 0 Downvote
global (outside) 1 xxx.xxx.xxx.19-xxx.xxx.xxx.22 netmask 255.255.255.240
---> only use a single IP address like "global (outside) 1 xxx.xxx.xxx.19". This allows PAT. If you use a range of 4, only 4 machines can hit the web. They way you have it set will only do NAT.

Next, If you replaced the old firewall with a PIX, the external router is still looking for the old firewall. Fix this by either "clear ip arp" on the external router, or just rebooting it (assuming the config is saved).

hope this helps,
-gbiello
 
Upvote 0 Downvote
OK I can see what you are saying in the config being wrong but surely I would be able to get something back even if only 4 clients were allowed to connect bearing in mind me and the mail server were the only ones connecting?
 
Upvote 0 Downvote
...not if you haven't cleared the Internet router's ARP cache of rebooted it. ;-)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
170
Russtoleum
Russtoleum
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
201
hairlessupportmonkey
hairlessupportmonkey
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
133
hall5942
hall5942
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
127
hall5942
hall5942
RodneyMcSnow
  • Locked
  • Question
Hardware firewall bypassed access to the lan network. Please Help! No it's not a root kit or virus
Replies
1
Views
145
ChrisHirst
ChrisHirst

Part and Inventory Search

Sponsor

Back
Top