Problem connecting outside on PIX 1

[banala1]

we recently got PIX i was setting up in a testing lab

in the lab everything was workig fine but once moved to thr production nothing works

i have sets up like this

LAN------7513----PIX----router----internet

LAn as 10.0.0.0 address 7513 as 2 ip address primary and seconday on LAN side Fastethernet
WAN side fastethernet i have 169.x.x.x , iCan ping this address from my LAN.
PIX inside interface 169.x.x.x and i can ping from all hosts in 10.0.0. and i can see all my users when i used sh xlate

from inside i can ping inside interface of PIX
when i used sh xlate i can see my glocal address mapped to internal address but but i cannot go out internet or i cannot ping my external interface on PIX, but from my 7513
i can ping only external interface on PIX



This is my PIX config

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
nameif ethernet3 ISP2 security60
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
nameif ethernet6 intf6 security30
nameif ethernet7 failover security15
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix-1
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list outside_access_in permit tcp any host 206.X.X.X eq smtp
access-list outside_access_in permit tcp any host 206.X.X.X eq smtp
access-list outside_access_in permit udp any host 206.X.X.X eq domain
access-list outside_access_in permit udp any host 206.X.X.X eq domain
access-list outside_access_in permit icmp any any
access-list outside_access_in deny ip any any
access-list dmz_coming_in permit icmp any any
access-list dmz_coming_in permit tcp host 206.X.X.X host any eq smtp
access-list dmz_coming_in permit tcp host 206.X.X.X host any eq www
access-list dmz_coming_in permit tcp host 206.X.X.X host any eq smtp
access-list dmz_coming_in permit tcp host 206.X.X.X host any eq www
access-list dmz_coming_in permit udp host 206.X.X.X host any eq domain
access-list dmz_coming_in permit udp host 206.X.X.X host any eq domain
access-list 101 permit ip 170.x.x.0 255.255.255.0 206.x.x.128 255.255.255.128
pager lines 24
logging on
logging monitor errors
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
interface ethernet6 auto shutdown
interface ethernet7 100full
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu ISP2 1500
mtu intf4 1500
mtu intf5 1500
mtu intf6 1500
mtu failover 1500
ip address outside 206.X.X.X 255.255.255.128
ip address inside 170.X.X.X 255.255.255.0
ip address DMZ 206.X.X.252 255.255.255.128
ip address ISP2 171.X.X.21 255.255.255.0
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip address intf6 127.0.0.1 255.255.255.255
ip address failover 7.7.7.7 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 206.X.X.X
failover ip address inside 170.X.X.3
failover ip address DMZ 206.X.X.253
failover ip address ISP2 171.X.X.21
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
failover ip address intf6 0.0.0.0
failover ip address failover 7.7.7.8
failover link failover

pdm location 169.x.x.155 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 206.X.X.90-206.X.X.120 netmask 255.255.255.128
global (outside) 1 206.X.X.X
global (DMZ) 1 206.X.X.X-206.X.X.X
nat (inside) 0 access-list 101
nat (inside) 1 1 170.X.X.X 255.255.255.0
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
nat (DMZ) 0 206.x.x.128 255.255.255.128 0 0
static (DMZ,outside) 206.X.X.X 206.X.X.X netmask 255.255.255.255 0 0

static (DMZ,outside) 206.X.X.X 206.X.X.X netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside
access-group dmz_coming_in in interface DMZ
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 206.X.X.X
route inside 10.0.0.0 255.0.0.0 170.X.X. 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (DMZ) vendor n2h2 host 206.X.X.X port 4005 timeout 5 protocol T
CP
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable

no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:3d41e9f201f32c7fbe9ac8dbafaf863e
: end
[OK]

 

[haknwak]

First look at your IP addressing - Do you REALLY NEED a full class A (/8)for your inside network?
------------------------------------------------------------
Your dmz needs to have a private RFC1918 address space and to be NATed to the outside via Static Assignments. Instead of a Class A (/8) network:

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

subnet yourself a little - at least use class B (/16)

nat (inside) 1 10.1.0.0 255.255.0.0
nat (dmz) 1 10.1.0.0 255.255.0.0

Or else use another RFC1918 addressing there

http://www.faqs.org/faqs/cisco-networking-faq/section-24.html

That allows for expansion and additional interfaces.
------------------------------------------------------
Sign up for CCO

http://tools.cisco.com/RPF/register/register.do

and read this

http://www.cisco.com/univercd/cc/td...---------------------------------------------

Your statics

static (DMZ,outside) 206.X.X.X 206.X.X.X netmask 255.255.255.255 0 0

static (DMZ,outside) 206.X.X.X 206.X.X.X netmask 255.255.255.255 0 0

need to be like this

static (DMZ,outside) 206.X.X.X 10.X.X.X netmask 255.255.255.255 0 0

static (DMZ,outside) 206.X.X.X 10.X.X.X netmask 255.255.255.255 0 0

to match your dmz IP Addressing scheme chosen above.
------------------------------------------------------
Next step is to get the PIX to a minimal config - put a web server box on the DMZ, address it accordingly and configure the PIX

conf t
no access-list dmz_access-in
access-list dmz_coming_in permit tcp host 206.X.X.X host any eq www
access-group dmz_coming_in in interface dmz
wr mem
clear xlate

and test access to it from the outside on the desired port/service.
------------------------------------------------------
Oh - and do a
no conduit permit icmp any any
You can add this statement at the end of appropriate ACLS as needed.
access-list ???????? permit icmp any any
----------------------------------------------------------
You might also try removing any reference to failover - just get it working as a single PIX first.
---------------------------------------------------------
Once you can access a machine in the DMZ - just add one machine/port at a time. "If you lived here, you'd be home by now!"

George Carlin

 

[haknwak]

Sorry - my mention above to

access-list dmz_access-in

should read

access-list dmz_coming_in "If you lived here, you'd be home by now!"

George Carlin

 

[haknwak]

sh*t I wish I could edit my pervious post -

nat (inside) 1 10.1.0.0 255.255.0.0
nat (dmz) 1 10.1.0.0 255.255.0.0

should read

nat (inside) 1 10.0.0.0 255.255.0.0
nat (dmz) 1 10.1.0.0 255.255.0.0

"If you lived here, you'd be home by now!"

George Carlin

 

[banala1]

I need full class A (/8) for my inside network because
i have network with 200 sites all sites come to my datacenter and then go to internet each site is in a didderent subnet and each subnet is divided with 255.255.240 subnet mask
and regarding MY DMZ i have complete 206.x.x.x address i subnetted in to 2 networks with 255.255.255.128 subnet mask
206.x.x.1-206.x.x.126 is my outside
206.x.x.129-206.x.x.254 is my DMZ

i have another range of address from my another ISP , but we are not using that only for mail and DNS later we are going to this 206.x.x.x isp. so my inside address are
170.1.x.x for PIX inside and my internal router outside interface
170.1.x.x is PIX inside
170.1.x.x is internal router outside interface
and my router lan interface is 10.x.x.x and 170.2.x.x(secondary) existing network is instead of PIX i have different firewall.what i am trying to i want to connect from 10.x.x.x network i am able to ping inside interface of PIX and when i use sh xlate i can see all my address nat to 207.x.x.x address but i cannot go the internet.from pix i can ping my inside interface on pix from dmz i can connect to my inside network.

is it must to change DMZ addresses or is there any other way
I tested the same kind of setup in my lab except i did not have my 10.x.x.x address, i had 170.1.x.x address i was able to browse internet and connect to servers in dmz, but when tried to move into production it didnot work from 10.0.0.0 address. but it works from 170.1.x.x address

Please help me in this rhanks for reply i will try that tommrow

 

[haknwak]

re: "i had 170.1.x.x address i was able to browse internet and connect to servers in dmz, but when tried to move into production it didnot work from 10.0.0.0 address. but it works from 170.1.x.x address"

It sounds like you're not getting through border routers etc with the 206 address space then. It could have nothing to do with the PIX??

Can you trace a route out anywhere with the 206 addresses?? Where does it stop?? Do you have gateway of last resort(s) set as needed? Can you static address a machine directly on the outside with a 206 number - bypassing the firewall, and get out?

And the 10.xxx.xxx.xxx addressing - class A, not a problem I'm sure - just an idea

I need to defer to others' ideas since I'm a little at a loss. I think the basic uidea of getting the firewall down to a simpler configuration and making one piece at a time work is your best solution though - for example the failover - and the three interfaces - just get traffic flowing from inside to the Internet, then from Inside to devices in the DMZ or outside (if requires) and from outside in to your web and mail services.

Broken into smaller pieces it should be more manageable.
"If you lived here, you'd be home by now!"

George Carlin