Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 515e can't get out to the Internet

Status
Not open for further replies.
scottmiks

scottmiks

MIS
Dec 27, 2002
6
US
Why can't I get out to the internet with this config?

PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
hostname TheWall
domain-name XXXXXX.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.100.2 DC
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list frominisde permit tcp any any eq www
access-list frominisde permit tcp any any eq smtp
access-list inside permit ip any any
access-list inside permit tcp any any
access-list inside permit udp any any
access-list frominside permit tcp any any eq www
pager lines 24
logging on
logging host inside 192.168.100.14
interface ethernet0 10full
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 68.XX.XX.XX 255.255.255.248
ip address inside 192.168.100.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location DC 255.255.255.255 inside
pdm location 192.168.100.14 255.255.255.255 inside
pdm location 192.168.100.252 255.255.255.255 inside
pdm location 192.168.200.0 255.255.255.255 inside
pdm location 192.168.100.0 255.255.255.255 inside
pdm location 68.XX.XX.XX 255.255.255.255 outside
pdm location 192.168.100.250 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 192.168.100.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 68.157.126.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.100.14 255.255.255.255 inside
http 192.168.100.0 255.255.255.0 inside
http 192.168.100.252 255.255.255.255 inside
http 192.168.200.0 255.255.255.255 inside
http 192.168.100.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
vpngroup remote idle-time 1800
telnet 192.168.100.252 255.255.255.255 inside
telnet 192.168.100.0 255.255.255.0 inside
telnet 192.168.200.0 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
TheWall(config)#





















































 
Sort by date Sort by votes
For starters, lets get rid of these lines:
access-list frominisde permit tcp any any eq www
access-list frominisde permit tcp any any eq smtp
access-list inside permit ip any any
access-list inside permit tcp any any
access-list inside permit udp any any
access-list frominside permit tcp any any eq www

Next, is this firewall replacing one? More specifically, was the ip address on the outside interface, 68.XX.XX.XX, used for something else before the PIX? If yes, reboot your Internet router, that should clear things up.

Can you ping 68.157.126.233 from 68.XX.XX.XX?

You have the internal IP as a class C address, but I see no route to it. You will need one.

-gbiello
 
Upvote 0 Downvote
Please help I can't receive mail from outside the network
 
Upvote 0 Downvote
Updated config

PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
hostname TheWall
domain-name XXXXXX.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.100.2 DC
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
pager lines 24
logging on
logging host inside 192.168.100.14
interface ethernet0 10full
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 68.XX.XX.XX 255.255.255.248
ip address inside 192.168.100.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location DC 255.255.255.255 inside
pdm location 192.168.100.14 255.255.255.255 inside
pdm location 192.168.100.252 255.255.255.255 inside
pdm location 192.168.200.0 255.255.255.255 inside
pdm location 192.168.100.0 255.255.255.255 inside
pdm location 68.XX.XX.XX 255.255.255.255 outside
pdm location 192.168.100.250 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 68.157.126.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.100.14 255.255.255.255 inside
http 192.168.100.0 255.255.255.0 inside
http 192.168.100.252 255.255.255.255 inside
http 192.168.200.0 255.255.255.255 inside
http 192.168.100.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
vpngroup remote idle-time 1800
telnet 192.168.100.252 255.255.255.255 inside
telnet 192.168.100.0 255.255.255.0 inside
telnet 192.168.200.0 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
TheWall(config)#





















































 
Upvote 0 Downvote
From the PIX can you ping the ISP router? What about a client on the inside network? If you do a show route what does the routing table look like?

The other thing that I would change is the speed that you have your interfaces at. There is no such thing as 10 full. Set them to auto. Int e0 auto, Int e1 auto
 
Upvote 0 Downvote
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq pop3
static (inside,outside) <pick public IP> <intenal IP> netmask 255.255.255.255

-gbiello
 
Upvote 0 Downvote
You need to add the above lines (forgot that in the post)to create the translation to allow mail in.
-gbiello
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
726
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
617
Johnkite
Johnkite
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
547
nnaarrnn
nnaarrnn
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
137
Russtoleum
Russtoleum
quazimotto
  • Locked
  • Question
Can't get Out
Replies
1
Views
317
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top