newbie alert: swapping firewall stops traffic

[Dyehouse1]

Just swapped out an older Unix style firewall for a PIX 515 and having plugged it into our 1601 router we can't get anything to go out or come in from the internet. I know its not the firewall because I can ping the router fine and get a reply but pinging out further onto the internet nothing comes back. Anyone seen this before?

BTW: All the IP on the firewall etc. are the same so the routes should just work shouldn't they?

 

[EduardoA]

Can you post your config???

 

[Dyehouse1]

PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10

names
name 192.168.1.4

http://www.test.com

name 192.168.1.3 ftp.test.com
name 192.168.1.2 support.test.com
name 192.168.1.6 is3.test.com
name xxx.xxx.xxx.0 PAS_IP_Group
name 10.0.0.0 Internal_Network
name 10.3.3.13 PRO
name xxx.xxx.xxx.18 EXT
name 10.250.250.250 Bills_PC
name 10.99.99.7 Exchange
name 10.99.99.3 RAS_Server

access-list 50 permit tcp any host EXT eq 1723
access-list 50 permit tcp any host EXT eq smtp
access-list 50 permit tcp any host EXT eq 443
access-list 50 permit tcp any host xxx.xxx.xxx.19 eq ftp
access-list 50 permit tcp any host EXT eq pop3
access-list 50 permit tcp any host EXT eq 143
access-list 50 permit tcp any host xxx.xxx.xxx.20 eq www
access-list 50 permit tcp any host xxx.xxx.xxx.22 eq www
access-list 50 permit tcp any host xxx.xxx.xxx.22 eq 98
access-list 50 permit icmp any any

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto

mtu outside 1500
mtu inside 1500
mtu DMZ 1500

ip address outside EXT 255.255.255.0
ip address inside 10.99.99.13 255.0.0.0
ip address DMZ 192.168.0.13 255.255.0.0
ip audit info action alarm
ip audit attack action alarm

pdm location support.test.com 255.255.255.255 DMZ
pdm location ftp.test.com 255.255.255.255 DMZ
pdm location

http://www.test.com

255.255.255.255 DMZ
pdm location editor.test.com 255.255.255.255 DMZ
pdm location is3.test.com 255.255.255.255 DMZ
pdm location PRO 255.255.255.255 inside
pdm location Bills_PC 255.255.255.255 inside
pdm location EXT 255.255.255.255 outside
pdm location RAS_Server 255.255.255.255 inside
pdm location Exchange 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 DMZ
pdm history enable

arp timeout 14400
global (outside) 1 xxx.xxx.xxx.19-xxx.xxx.xxx.22 netmask 255.255.255.240
global (outside) 1 xxx.xxx.xxx.30
global (DMZ) 1 192.168.0.250-192.168.0.255 netmask 255.255.0.0
nat (inside) 1 Internal_Network 255.0.0.0 0 0
nat (DMZ) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) tcp EXT smtp Exchange smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp EXT 1723 RAS_Server 1723 netmask 255.255.255.255 0 0
static (inside,outside) tcp EXT pop3 Exchange pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp EXT 143 Exchange 143 netmask 255.255.255.255 0 0
static (inside,outside) tcp EXT 433 Exchange 433 netmask 255.255.255.255 0 0
static (DMZ,outside) tcp xxx.xxx.xxx.19 ftp ftp.test.com ftp netmask 255.255.255.255 0 0
static (DMZ,outside) tcp xxx.xxx.xxx.20

http://www support.test.com

http://www netmask

255.255.255.255 0 0
static (DMZ,outside) tcp xxx.xxx.xxx.22

http://www www.test.com

http://www netmask

255.255.255.255 0 0

access-group 50 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:15:00 absolute uauth 0:05:00 inactivity
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http Internal_Network 255.0.0.0 inside
http Bills_PC 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside Bills_PC /PIX
floodguard enable
no sysopt route dnat
telnet Bills_PC 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80

I didnt know which bits you didnt need so its all there except the IP addresses.
xxx.xxx.xxx.17 = router
xxx.xxx.xxx.18 = ext on firewall

many thanks

 

[gbiello]

global (outside) 1 xxx.xxx.xxx.19-xxx.xxx.xxx.22 netmask 255.255.255.240
---> only use a single IP address like "global (outside) 1 xxx.xxx.xxx.19". This allows PAT. If you use a range of 4, only 4 machines can hit the web. They way you have it set will only do NAT.

Next, If you replaced the old firewall with a PIX, the external router is still looking for the old firewall. Fix this by either "clear ip arp" on the external router, or just rebooting it (assuming the config is saved).

hope this helps,
-gbiello

 

[Dyehouse1]

OK I can see what you are saying in the config being wrong but surely I would be able to get something back even if only 4 clients were allowed to connect bearing in mind me and the mail server were the only ones connecting?

 

[gbiello]

...not if you haven't cleared the Internet router's ARP cache of rebooted it. ;-)