Unable to access internet + Cisco PIX 506E, URGENT!!! 2

[rflora]

Hi,

I have the following configuration on Cisco PIX 506E firewall and I'm unable to access the internet or ping an outside address. I have Satellite Internet, which is by Direcway. A module DW4020 by Direcway is acting as a gateway to the internet on my current firewall which is not a Cisco firewall and is working just fine.

If someone could help me figure out what i'm missing in the PIX configuration, I would really appreciate it.

Thanks in advance.

:
PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXX encrypted
hostname XXXXXXXXXX
domain-name XXXXX
clock timezone EST -5
clock summer-time EDT recurring
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
names
access-list compiled
access-list XXXXX permit ip 192.168.201.0 255.255.255.0 host 192.168.1.11
access-list XXXXX permit ip 192.168.201.0 255.255.255.0 host 192.168.1.80
access-list XXXXX permit ip host 192.168.1.11 192.168.201.0 255.255.255.0
access-list XXXXX permit ip host 192.168.1.80 192.168.201.0 255.255.255.0
access-list inside permit ip any any
access-list inside permit icmp any any
no pager
logging on
logging timestamp
logging standby
logging console emergencies
logging monitor alerts
logging buffered errors
logging trap notifications
logging history notifications
logging facility 22
no logging message 305005
no logging message 304001
icmp permit any unreachable outside
mtu outside 1500
mtu inside 1500
ip address outside 66.82.155.101 255.255.255.252
ip address inside 192.168.201.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.201.1 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
route outside 192.168.201.1 255.255.255.255 66.82.155.102 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 64.26.173.193 source outside
ntp server 64.26.173.192 source outside prefer
http server enable
http 192.168.201.0 255.255.255.0 inside
snmp-server location XXXXXXXX
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set XXXXXX esp-des esp-md5-hmac
crypto map XXXXX 1 ipsec-isakmp
crypto map XXXXX 1 set peer XXXXX
crypto map XXXXX 1 set transform-set pensontset
crypto map XXXXX interface outside
isakmp enable outside
isakmp key ******** address XXXXX netmask 255.255.255.192
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
username XXXXX password XXXXX encrypted privilege 15
terminal width 120
Cryptochecksum:XXXXX: end
[OK]

 

[MichealC4]

In your access-list, try permitting tcp traffic as well. By the way, I highly recommend you disable ICMP traffic going out once you get this working as that is one way viruses spread, by pinging each other. Have you also tried the PDM? It's a handy little tool.

----------------------------
I am Comptia A+ Certified

 

[rflora]

Thanks for the reply.

I tried inserting permit tcp in the access-list but no change. I'm not sure, but from the PIX console i'm not able to ping my "outside" IP address which is 66.82.155.101... am i suppose to be able to ping that? Yea, I did try the PDM as well but no luck.

Any more ideas? Anyone?

 

[dopehead]

Maybe i am missing something, but i don't see any access-group commands to apply the access-list to an interface.

Also why would you have a static route :
route outside 192.168.201.1 255.255.255.255 66.82.155.102 1
???? what good is this, please remove that it has no possible use since 192.168.201.1 is on the pix inside and your route goes to the outside.

Also check the interfaces, maybe your satelite is running 10mbit, your interfaces are forced to 100mbit full duplex.

Jan


Network Systems Engineer
CCNA/CQS/CCSP

 

[rflora]

I put that static route in because nothing else was working so i was just trying things! Aren't the following commands applying the access list to the "inside" interface? Do i still need to put something else in? If so, plz provide me with the commands. I'm fairly new with these commands.

access-list inside permit ip any any
access-list inside permit icmp any any

And, Yes I did check the modem before to ensure that it can run at 100full. I've changed the PIX to 10full and 10half while troubleshooting but didn't work!

Help!!

 

[bell1996]

look at your route statement. You don't have a default route out towards the internets. Try inserting this:

route outside 0.0.0.0 0.0.0.0 66.82.155.102

 

[yert33]

You need the a command like the following to actually apply the access-lists to the interfaces. Otherwise, they do nothing.

access-group <access-list name> in interface <interface name>


Your commands:
access-list inside permit ip any any
access-list inside permit icmp any any
are creating an access-list named "inside". Not applying it to an interface named "inside".

Also, from the way I understand the documentation, if you have fewer than 19 access-list commands, the access-list compile command is not applicable.

Also......your access-list XXXXX commands are confusing to me. What interface are the 192.168.1.x devices?

 

[rflora]

Thanks Everyone,

I finally access the internet. I reset the PIX to factory default setting and configured it from scratch. Fixed everything that is mentioned above, and figured out I was missing the following line.

global (outside) 1 interface

It seems to be working just fine now!

Thanx again to all who replied.