Pix 515E Can't Route...Pls Help

[Boh]

This is my first time configure PIX using Pix Device Manager

my Lan user can not route to Internet and DMZ zone server.

Pls Help....

Attach is my configuration file

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password mhWMpuKhF1sjkn5C encrypted
passwd 2KFQnbNI8I.2KYOU encrypted
hostname PIX515E
domain-name mynet.com.sg
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inside_access_in permit tcp any any
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 61.18.206.18 255.255.255.248
ip address inside 172.16.0.222 255.255.0.0
ip address DMZ 192.168.0.100 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 172.16.0.85 255.255.255.255 inside
pdm location 192.168.0.200 255.255.255.255 DMZ
pdm location 172.16.0.39 255.255.255.255 inside
pdm location 61.18.206.21 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.0 DMZ
pdm history enable
arp timeout 14400
static (DMZ,outside) 61.18.206.21 192.168.0.200 netmask 255.255.255.255 0 0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 61.8.206.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.16.0.85 255.255.255.255 inside
http 172.16.0.39 255.255.255.255 inside
http 192.168.0.200 255.255.255.255 DMZ
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt noproxyarp outside
sysopt noproxyarp inside
sysopt noproxyarp DMZ
no sysopt route dnat
telnet 172.16.0.85 255.255.255.255 inside
telnet 172.16.0.39 255.255.255.255 inside
telnet 192.168.0.200 255.255.255.255 DMZ
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:e5b18a03bb16896db2017ba9ea353d9d
: end
[OK]


Thanks..

 

[chenchuk77]

hi
when u want traffic to be forwarded from high_security_interface (eg. LAN) to low_sec (eg. OUTSIDE) u should make NAT by using "nat (inside) 1 0.0.0.0 0.0.0.0" and "global (outside) 1 interface" this means :
nat... = make NAT to all of the inside users...
global... = ...and give them the outside interface address

2. u should not use any access-list on the inside unless u want to filter traffic ( outside traffic is enable by default with no ACL )

3. make "global (DMZ) 1 interface" if u want the LAN to access the DMZ also

4. check by using Telnet and not ping ( because ICMP will not return unless u open it ( if u want to open icmp reply:

access-list outside_access_in permit icmp any eq echo-reply
access-list dmz_access_in permit icmp any eq echo-reply
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz

 

[Boh]

Hi, chenchuk77 :
Thank you and Thank you very much for your fast respone,
I will follow your advise and add the following command on tomorrow early morning.



global (outside) 1 0.0.0.0 0.0.0.0
global (DMZ) 1 0.0.0.0 0.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0

p/s:i saw people using "nat (inside) 0 0.0.0.0 0.0.0.0" it's that same?

Thanks again...

 

[br0ck]

BTW Don't post your public IP's and
encrypted password from your config file

You then kill the security of your firewall

b- Brock D. Mowry
Hardware Specialist

http://www.iNECTA.com

 

[Boh]

hi, br0ck :
Thanks for your advise..
I had modified the public ip address and encrypted password.

Any advise on my configuration file?

Thnkas in advance.

 

[Boh]

Dear chenchuk77 , br0ck and other expert:

I had change my configuration file as below

ip address outside 61.18.206.18 255.255.255.248
ip address inside 172.16.0.222 255.255.0.0
ip address DMZ 192.168.0.100 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 172.16.0.85 255.255.255.255 inside
pdm location 192.168.0.200 255.255.255.255 DMZ
pdm location 172.16.0.39 255.255.255.255 inside
pdm location 61.18.206.21 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (DMZ,outside) 61.18.206.21 192.168.0.200 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.061.18.206.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.16.0.85 255.255.255.255 inside
http 172.16.0.39 255.255.255.255 inside
http 192.168.0.200 255.255.255.255 DMZ
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt noproxyarp outside
sysopt noproxyarp inside
sysopt noproxyarp DMZ
no sysopt route dnat
telnet 172.16.0.85 255.255.255.255 inside
telnet 172.16.0.39 255.255.255.255 inside
telnet 192.168.0.200 255.255.255.255 DMZ
telnet timeout 20
ssh timeout 5
terminal width 80
Cryptochecksum:d10c23c035d235b7d50157e6d54476b0
: end
[OK]


But I still not manage to ping Dmz and outside server from my Lan user, anyone can help me on this problem...

Thank you very much.
Boh

 

[Boh]

with my above configuration, my LAn user not even ping the DMZ and outside interface card.

my LAn user 172.16.0.85/255.255.0.0 getware 172.16.0.222

can't LAN user can't ping 192.168.0.100 (firewall dmz interface) and 61.8.206.18 (firewall outside interface)

Pls help....

 

[yizhar]

HI.

Don't use ping.
Use telnet/http/ftp or any other TCP test.

There are (at least) 2 reasons for the failing ping attempts:

1. The pix does stateful inspection only for TCP and UDP, but not to ICMP. Therefor, when an ICMP echo is sent, the ICMP reply is blocked by the pix because you didn't specify an access-list to allow incoming ICMP echo-reply.
If you open a TCP session instead (for example telnet or http) then the pix will allow return traffic back in using stateful inspection.

2. The pix (unlike routers and other devices) will never repond to connection attempt to its own interface, coming from a different interface.
This is by design and cannot be changed.
So you need to test connection to another device (router, server, etc), not to the pix own interface.
You can however ping or telnet to the pix internal interface from the inside to verify LAN connectivity.

Bye

Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Boh]

Hi, EveryOne...

I still face problem after my hard try....

Pls help again..

My Lan/DMZ can't perform NAT, I using "debug icmp trace" and hit this message (172.16.0.85 can't route to internet)



PIX515E# 343: Outbound ICMP echo request (len 0 id 2 seq 55811) webserver > 61.18.104.22 > 1.1.1.1

344: Outbound ICMP echo request (len 0 id 2 seq 56067) webserver > 61.18.104.22 >
1.1.1.1
345: Outbound ICMP echo request (len 0 id 2 seq 56323) webserver > 61.18.104.22 >
1.1.1.1
346: Outbound ICMP echo request (len 0 id 2 seq 56579) webserver > 61.18.104.22 >
1.1.1.1
347: Outbound ICMP echo request (len 0 id 2 seq 56835) webserver > 61.18.104.22 >
1.1.1.1



Below is my latest configuration, Any Nice people can help?


name 172.16.0.85 webserver
object-group network translate
description transale int to ext
network-object webserver 255.255.255.255
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 61.18.104.22 eq www
access-list acl_out permit tcp any host 61.18.104.22 eq telnet
access-list acl_out permit tcp any host 61.18.104.22 eq ftp
pager lines 24
logging on
logging timestamp
logging monitor debugging
logging buffered debugging
logging trap debugging
logging facility 16
logging host inside webserver
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 61.18.104.18 255.255.255.248
ip address inside 172.16.0.222 255.255.0.0
ip address DMZ 192.168.0.100 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location webserver 255.255.255.255 inside
pdm location 192.168.0.200 255.255.255.255 DMZ
pdm location 172.16.0.39 255.255.255.255 inside
pdm location 61.18.104.20 255.255.255.255 outside
pdm group translate inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 61.18.104.20 netmask 255.255.255.248
global (DMZ) 1 192.168.0.201-192.168.0.254 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 61.18.104.22 webserver netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 61.18.104.17 1
timeout xlate 3:00:00

 

[yizhar]

HI.

You're doing the wrong test.
Try to ping or telnet the router, 61.18.104.17.

If you need to access the webserver from dmz, try to add: static (inside,dmz) 61.18.104.22 webserver

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar