No Traffic Through Pix - Can ping Router to Pix and Visa Versa

[DKMOORE]

I am a newbie...just finished ccna, and I was tasked to install a pix 515. Reading basic setup sounds simple enough.
I created interface address, created a NAT table, and stripped almost everything from the router except ip address at interfaces. No NAT on router..etc.
I can ping the routers internal and external interface with the PIX...I can ping the PIX external from the router..But I cant get any traffice through the PIX, and I cant ping the ISP router from the pix. I can ping the ISP router from our router.
What's UP. I know it could be alot of things, but not running any acl or anything complicated yet, so looking for something obvious that someone with more experience might suggest.
Thanks in advance...

 

[gbiello]

Can you post your configs please?

 

[DKMOORE]

Pix Config -
Building configuration...
: Saved
:
PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password NC1KgWaSUzBT8QU2 encrypted
passwd NC1KgWaSUzBT8QU2 encrypted
hostname PIX515
domain-name svc.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no names
name 172.16.20.0 Eton_Building
pager lines 24
logging on
logging timestamp
logging trap informational
logging history informational
logging host inside 172.16.10.251 6/1470
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 172.16.2.1 255.255.255.0
ip address inside 172.16.10.8 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm location 172.16.10.251 255.255.255.255 inside
pdm location 172.16.20.0 255.255.255.0 outside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 ***.101.47.11-216.101.47.13
global (outside) 1 ***.101.47.14
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 ***.102.185.1 1
route outside 172.16.20.0 255.255.255.0 172.16.20.1 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.10.251 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 172.16.10.10 255.255.255.255 inside
telnet 172.16.10.251 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:76565f0d80c54f18f1839156874906fd
: end
[OK]

Router Conifg -
Current configuration : 2816 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname CHATSWORTH-1
!
logging buffered 4096 debugging
enable password ***********
!
no ip subnet-zero
no ip domain-lookup
ip name-server ***.13.28.11
ip name-server ***.13.29.12
ip name-server ***.13.30.12
!
!
!
!
interface FastEthernet0
description connected to Deering
ip address 172.16.2.1 255.255.255.0
speed auto
!
interface Serial0
no ip address
encapsulation frame-relay
service-module t1 timeslots 1-6
!
interface Serial0.1 point-to-point
ip address ***.***.185.22 255.255.255.0
frame-relay interface-dlci 17
!
interface Serial0.3 point-to-point
description connected to Cisco1601
ip address 172.16.1.5 255.255.255.252
ip helper-address 172.16.10.10
frame-relay interface-dlci 18
!
router eigrp 100
network 172.16.0.0
no auto-summary
no eigrp log-neighbor-changes
!
ip route 0.0.0.0 0.0.0.0 ***.102.185.1
ip route 172.16.20.0 255.255.255.0 172.16.1.4
ip http server
!
!
!
line con 0
exec-timeout 0 0
password **********
logging synchronous
login
flowcontrol hardware
line aux 0
line vty 0 4
session-timeout 30
password **********
login
!
end

Another newbie question -
Does the outside ip address on the PIX have to be public?
Hope you can help....

 

[gbiello]

Here's what I can see:
1. You have the same IP address on both the external router-f0 and the PIX-outside. Try changing the PIX-outside to 172.16.2.2.
2. You have no route from the external router to the network inside the PIX. On ther router, add 'ip route 172.16.10.0 255.255.255.0 172.16.2.2'.
3. Judging from the route to the .20 network on the router, the IP on the other end of s0.3 is 172.16.1.4. This is not a proper IP address given the subnet mask. The IP on the other side of s0.3 should be 172.16.1.6 with a mask of 255.255.255.252, and the route statement on the router should be changed accordingly to 'ip route 172.16.20.0 255.255.255.0 172.16.1.6'.

hope this helps,
-gbiello

 

[DKMOORE]

thanks for the input...the ip address problem was just a typo...but i did not have the route on the router to the pix. I will fix the route on s0.3.
Do you see any reason why i can't ping from the PIX to the isp's router? As mentioned i can ping the isp router from the router, just not from the PIX.
Also all host on inside of PIX are not able to pass http traffic etc.
No acl so what other than incorrect routes would cause this?
Thanks ...

 

[gbiello]

On the PIX
route outside 0.0.0.0 0.0.0.0 ***.102.185.1 1
should be
route outside 0.0.0.0 0.0.0.0 172.16.2.1 1
to point to the f0 interface on the router.

You also have your public/private boundary on the router. Ideally this should be the PIX, but it isn't. Since you're not doing NAT on the PIX, your PIX's nat/global should use '0', not '1'

like this: nat (inside) 0 0.0.0.0 0.0.0.0 0 0
I don't think you need the global statements in this case.

-gbiello

 

[DKMOORE]

Thanks...that was one of my follow up questions, should the pix oputside be a pulic address. I will change it and the router to use public address.

It was my intention to use NAT on the pix...

The Nat/Global statements are:
global (outside) 1 ***.101.47.11-***.101.47.13
global (outside) 1 ***.101.47.14
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

is this not correct?

Thanks again for all your help...

 

[gbiello]

Don't do this. If the network works with the changes we've already discussed, let's leave it as is. The idea is to put the entire private network inside the firewall. This would require another router, one with 2 ethernet interfaces. This would require a bit more re-engineering.
-gbiello

 

[DKMOORE]

Then i need to use NAT on the router?

I don't understand why I can't use NAT on the PIX.
Cant I just use the PIX as the gateway for my internal host, then route through the PIX to the router and allow all
traffic through the router?

Isn't this the common practice?

 

[gbiello]

If you wish to you can. I'm just suggesting you've done a lot of work in one direction so why change horses in mid-stream?