PIX 506E configuration help

[NeedPIXhelp]

Please Help I cannot get my inside network to talk to anything on the outside.

HEre is my configuration
outside is let's say 65.65.65.219
inside 192.168.0.251
inside hosts are 192.168.0.1-192.168.0.200
My gateway is 65.65.65.217

I am trying to talk to the internet with the bare minimum setup but I cannot talk to anyone.

Please help

 

[NeedPIXhelp]

Also I have a cisco 1720 router that my ISP setup. Is this my gateway???? I previously had a linksys router acting as a nat firewall. I had this running fine on the same IP as the PIX but I cannot seem to get the pix to allow anything outside.

 

[EntilzaSte]

The default gateway on the pc should be the internal interface on the router/firewall. The dns server settings should be the isp dns servers.....

 

[NeedPIXhelp]

I have my windows box setup as the gateway being 192.168.0.251 and the dns server ip's being the one's my ISP gave me yet I still cannot connect to the internet. MY understanding on the PIX is that by default the inside interface is automatically allowed access to the outside interface (internet). IS this correct??? Also should I not be able to ping my gateway at .217?? I think I am going to clear the entire thing and start over because it is not making sense. Any help would still be appreciated if there is something I may be missing.

Also if I only have one static IP from my ISP at say 65.65.65.219. Then should this be my outside interface's IP address?? and how do I set up NAT with just one static IP for the address Pool. Can I only set up PAT???

Thanks for the help in advanced

 

[SKodz]

Firstly you need to configure the outside interface with the ip address your ISP has given you - 65.65.65.219. Then you need to set up a default route on the pix.

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
For xxx.xxx.xxx.xxx you need to put the ip address of your ISP router.

Now you need to set up PAT so your internal clients can get onto the internet.

global (outside) 1 65.65.65.219
nat (inside) 1 0.0.0.0 0.0.0.0

This will allow any client on the inside network to go out through the firewall on the ip address your ISP has asigned you.

This is basically all you need, but I would recommend looking on the Cisco site as they have plenty of example configurations that will help you.

Regards,
Stephen

 

[NeedPIXhelp]

Stephen thanks for the help!! I reset the entire PIX and started over. Once I was able to do this things began to fall in place. However when I attempted to set up the global command like to wrote, it would not take it. It gave me the error
'Start and end addresses overlap with outside interface address'
This is the same problem I was having before. Luckily I have two static IP's. 65.65.65.220 is set to my outside interface, and 65.65.65.219 is how I set my global command.
This will give me my internet access, but what If i need to forward ports and what about if i attempt to scan my ports, I will not receive an accurate scan since the port scan wil be on the wrong IP. Does this make sense??

Any ideas on why it will not accept 220 as both my global and my outside interface address. Or what i can do to correct this.

Thanks in advanced for yout help

 

[NeedPIXhelp]

One more issue. I also want to set up port forwarding for my Terminal server at 192.168.0.2, however when I attemp to set it up I get this
static (inside, outside) tcp interface 192.168.0.2 3389
I receive the error message
invalid global port 192.168.0.2

What am i doing wrong???

 

[SKodz]

Read throught this document from Cisco as it should help with what you are after.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

If you're still stuck then try further searches on the Cisco site as there is lots of useful information on there.

Regards,
Stephen

 

[NeedPIXhelp]

OK let me give you my config and then see why I cannot get outside users to connect to my terminal serverPIX Version

6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password YcR1BrZl82/aPsGE encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
domain-name xxxxxxxxxx
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 10full
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 65.65.65.220 255.255.255.248
ip address inside 192.168.0.251 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.2 255.255.255.255 inside
pdm location 65.65.65.220 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 65.65.65.219
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.0.1 65.65.65.220 netmask 255.255.255.255 0 0
conduit permit tcp host 192.168.0.1 eq 3389 any
route outside 0.0.0.0 0.0.0.0 65.65.65.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.0.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:89ed21ea99c5d059e8ba4f2b8a2e9e73

Yet I cannot get outside users access to my terminal server.
I have created the static and the conduit to allow the forwarding to the server if on port 3389 yet something is not happening. I set up the info just like the above Cisco link stated.

Thanks again,

 

[NeedPIXhelp]

Got it finally, Thanks, I needed to allow on the outside interface port