PIX 506E - New internet device but no access

[SamuelBiddulph]

Ok, we have a working PIX 506E that was connected to our old ISDN internet router and was all working fine.
We now have a new ADSL device that is to go inplace of the ISDN router. I've tried but had no luck in getting the things to work together.
Our old ISDN box was a fixed IP of 192.168.44.1 with the interface in PIX being 192.168.44.2

As our new router had a different fixed IP (80.168.211.145)i went along the lines of changing the interface card to be 80.168.211.145 - this doesn't seem to work.

We have a short number of translation and access rules that i'm not sure what would need changing. Also i've seen that in the Host/Networks tab the outside card has an association with address 192.168.44.0 - which is confusing me as i not sure where that's coming from!

Any help would be great as i'm sure this should be fairly easy

 

[ChrisAC]

If your old firewall config had a 192.168.44.2 address on the outside then you won't have been NATing on the Pix but on the ISDN router. Now that you have a router with a real address on the inside and a real address on the Pix you will now need to NAT to that address on the Pix.

Also, if your new router has the address 80.168.211.145 then you can't use that address on your Pix as you seem to have suggested that you have done ("i went along the lines of changing the interface card to be 80.168.211.145 - this doesn't seem to work.").

It would be helpful if you could post your config.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[ChrisAC]

Looks like you've been assigned a /29 range with the router on the first address so set your Pix outside interface up with 80.168.211.146 (mask 255.255.255.248).

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[SamuelBiddulph]

My typo - interface card i did setup with .146 so that should be ok.
I've no expereince of NAT config or anything so if you could guide me i'd be very please.

Here is the full config as it stands connected to the ISDN unit;

Building configuration...
: Saved
:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password fiKtyM4JOzYEjx7W encrypted
passwd fiKtyM4JOzYEjx7W encrypted
hostname CI-GB-FW1
domain-name vanderlande.co.uk
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 195.75.0.0 Remote195Lans
name 62.184.43.64 LocalLan
access-list outside_access_in permit icmp any 192.168.44.0 255.255.255.0 echo-reply
access-list outside_access_in permit icmp any 192.168.44.0 255.255.255.0 unreachable
access-list outside_access_in permit icmp any 192.168.44.0 255.255.255.0 source-quench
access-list outside_access_in permit icmp any 192.168.44.0 255.255.255.0 time-exceeded
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.44.2 255.255.255.0
ip address inside 62.184.43.80 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location LocalLan 255.255.255.192 inside
pdm location 195.75.194.0 255.255.255.0 inside
pdm location 195.75.195.0 255.255.255.0 inside
pdm location 195.75.196.0 255.255.255.0 inside
pdm location 195.75.197.0 255.255.255.0 inside
pdm location 195.75.198.0 255.255.255.0 inside
pdm location 195.75.199.0 255.255.255.0 inside
pdm location Remote195Lans 255.255.0.0 inside
pdm location 195.75.94.0 255.255.254.0 inside
pdm location 195.75.196.0 255.255.252.0 inside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 192.168.44.10-192.168.44.254 netmask 255.255.255.0
nat (inside) 0 195.75.194.0 255.255.255.0 0 0
nat (inside) 0 195.75.199.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.44.1 1
route inside 195.75.194.0 255.255.255.0 62.184.43.65 1
route inside 195.75.195.0 255.255.255.0 62.184.43.65 1
route inside 195.75.196.0 255.255.255.0 62.184.43.65 1
route inside 195.75.197.0 255.255.255.0 62.184.43.65 1
route inside 195.75.198.0 255.255.255.0 62.184.43.65 1
route inside 195.75.199.0 255.255.255.0 62.184.43.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 195.75.94.0 255.255.254.0 inside
http 195.75.196.0 255.255.252.0 inside
http 62.184.43.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 195.75.196.39 CI-GB-FW1-confg
floodguard enable
no sysopt route dnat
telnet 195.75.94.0 255.255.254.0 inside
telnet 195.75.196.0 255.255.252.0 inside
telnet 62.184.43.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:873f932bb48bb8c74307cc790f246313
: end
[OK]

 

[ChrisAC]

This line is your problem ..

global (outside) 1 192.168.44.10-192.168.44.254 netmask 255.255.255.0

This is NATing all outbound traffic that doesn't have a static NAT set up to addresses between 192.168.44.10 to 192.168.44.254.

What you could do is NAT all outbound traffic to the IP address of your external interface, 80.168.211.146.

# set the outside interface IP address #
ip address outside 80.168.211.146 255.255.255.248

# set your default route via the ADSL router #
route outside 0.0.0.0 0.0.0.0 80.168.211.145

# NAT all outbound traffic to the external interface #
global (outside) 1 interface

Note, 'interface' is the keyword so don't change it to anything else.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[SamuelBiddulph]

Chris,
Unfortunatly this hasn't seemed to have resolved the issue. We have an unsusual set-up with regards to getting our internet access - this might be the cuase but maybe you'll be able to answer after reading this.
Basically our DNS configuration goes through to our Dutch office and the names are resolved and our 'local' internect connection is used to go off and get the pages etc. Could it be that beacuse of the address change of the router that this part is somehow not working properly?
When i actually plug everything in and ping a website i do get the resolved IP address coming back to me which seems to suggest that things are working ok with regards to collecting DNS info.
Which leads me back to there either something not quite right with the PIX config - or - once the DNS has been resolved it no longer knows where to send the info because we have changed to the new the router and IP - this bit i'm trying to confirm with our Dutch office.

 

[ChrisAC]

If you can get out to resolve DNS then it does suggest that you have external connectivity presuming of course that you are using external DNS servers. Can you ping the Pix, the router and something external to your site?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[SamuelBiddulph]

Our DNS servers are internal as such (reside in Holland but are 'inside' to us)
From within the PIX if i use the ping interface i can ping an outside address.
If i use the command prompt within windows i get no responce on the same ip address i used to test within PIX, or when pinging the router itself.

 

[lgarner]

Since this is the working config when conneted to ISDN, it's hard to tell. We need to know how it looks now. If you did only change the "ip address outside" statement, there are a few other things that I see.

Your access-list for icmp is using your old addresses:

"access-list outside_access_in permit icmp any 192.168.44.0 255.255.255.0 echo-reply"

Change to your new addresses or use "interface" instead.

Also, you seem to be using registered addresses on an inside, remote lan, and these are not being nat'd:

"nat (inside) 0 195.75.194.0 255.255.255.0 0 0
nat (inside) 0 195.75.199.0 255.255.255.0 0 0"

Unless your new ISP is routing these addresses to you via their network, you'll want to remove these lines so they'll be included in the "nat (inside) 1" statements. If these networks have a different route to the internet, then this wouldn't be an issue.

That, plus Chris's points should help.