PIX 515E DHCP and Internet Access

[bblater]

I've had a pix 515E at home for several years now and can usually get things configured with a little help from Google etc. However, I was recently able to pick up another pix to play with. The old PIX is 7.1 and the new PIX is 8.0 if that makes a difference. I'm wondering if there is something new in the 8.0 version that is working differently and has me stumped. One difference between the two PIXs I have is that the new one has a 4 port card for a total of 6 ethernet ports. I've setup DHCPD on two of the interfaces, but I can't get it to assign an address to anything connected to those interfaces (dmz and vonage). Also, if I manually assign an IP to a device on one of those networks I can't even get out to the internet. So, either some ACL or static mapping is interfering there, but I can't see what I've messed up. The DMZ port on the PIX 515e with 7.1 just works, both with DHCPD and internet access, but even if I try the same ACLs and statics on the 8.0 PIX I'm still not getting anything working. Basically I'm stumped.

Any help would be greatly appreciated as I'm now lost and not sure what is happening.

Brian



PIX Version 8.0(4)32
!
hostname brb-pix
domain-name bfamily.org
enable password xxxxxx encrypted
passwd xxxxxxx encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 24.199.216.33 .255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.99.1 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 192.168.109.1 255.255.255.0
!
interface Ethernet3
nameif vonage
security-level 25
ip address 192.168.149.1 255.255.255.0
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.99.201
domain-name bfamily.org
access-list outside remark access list for outside
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit icmp any any unreachable
access-list outside extended permit tcp any any eq https
access-list outside extended permit tcp any any eq 2525
access-list dmz remark access list for dmz
access-list dmz extended permit icmp 192.168.109.0 255.255.255.0 192.168.99.0 255.255.255.0 echo-reply
access-list dmz extended permit icmp 192.168.109.0 255.255.255.0 192.168.99.0 255.255.255.0 unreachable
access-list dmz extended permit udp 192.168.109.0 255.255.255.0 host 192.168.99.201 eq domain
access-list dmz extended permit ip 192.168.109.0 255.255.255.0 any
access-list nonat remark nonat for dmz and inside interfaces
access-list nonat extended permit ip 192.168.99.0 255.255.255.0 192.168.109.0 255.255.255.0
access-list nonat extended permit ip 192.168.109.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list nonat extended permit ip 192.168.99.0 255.255.255.0 192.168.129.0 255.255.255.0
access-list nonat extended permit ip 192.168.129.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list vonage remark access list for vonage network
access-list vonage_access_in extended permit ip 192.168.149.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu vonage 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.99.0 255.255.255.0
nat (dmz) 0 access-list nonat
nat (dmz) 1 192.168.109.0 255.255.255.0
nat (vonage) 0 access-list nonat
nat (vonage) 1 192.168.149.0 255.255.255.0
static (dmz,outside) tcp interface https 192.168.109.44 https netmask 255.255.255.255
static (inside,outside) tcp interface 2525 192.168.99.202 smtp netmask 255.255.255.255
static (inside,dmz) 192.168.99.0 192.168.99.0 netmask 255.255.255.0
static (inside,vonage) 192.168.99.0 192.168.99.0 netmask 255.255.255.0
access-group outside in interface outside
access-group dmz in interface dmz
access-group vonage_access_in in interface vonage
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.99.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.99.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.99.0 255.255.255.0 inside
ssh 192.168.109.0 255.255.255.0 dmz
ssh timeout 60
console timeout 0
dhcpd dns 4.2.2.1 8.8.8.8
dhcpd lease 259200
dhcpd ping_timeout 750
dhcpd domain bfamily.org
!
dhcpd address 192.168.109.101-192.168.109.110 dmz
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz
dhcpd lease 259200 interface dmz
dhcpd ping_timeout 750 interface dmz
dhcpd domain bfamily.org interface dmz
dhcpd enable dmz
!
dhcpd address 192.168.149.101-192.168.149. 110 vonage
dhcpd enable vonage
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
brb-pix#

 

[nosebreaker]

The only thing I can see that might be a problem is the NAT/global rules. You have 0 in there for no_nat for the VPN, but the rule after that I don't think can be the same for different interfaces, I think you should have:

global (outside) 1 interface
global (outside) 2 2nd_ip
global (outside) 3 3rd_public_ip
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.99.0 255.255.255.0
nat (dmz) 0 access-list nonat
nat (dmz) 2 192.168.109.0 255.255.255.0
nat (vonage) 0 access-list nonat
nat (vonage) 3 192.168.149.0 255.255.255.0

I'm not 100% sure on this, you have it just listing the interface, but I've always given them separate IP addresses.

I don't see anything wrong there in regards to the policies, but you might want to erase the config and start over. I know there is some sort of service-policy for routing traffic, and if its not there I don't know. I'm just fishing, I think you should reset/erase and start with the basics to get it working. Set those IP's and the global/nat rules and see if you can get out.