Re: newbie cisco pix 501 config problem

From: srihari rao (srihari_kotni_at_yahoo.com)
Date: 09/30/03

• Next message: Simon: "Re: 3Com Superstack Firewall/VPN - would you recommend it or not"
• Previous message: paul blitz: "Re: newbie firewall question"
• In reply to: dkjkj: "Re: newbie cisco pix 501 config problem"
• Next in thread: schiefiix: "Re: newbie cisco pix 501 config problem"
• Reply: schiefiix: "Re: newbie cisco pix 501 config problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 30 Sep 2003 02:48:50 -0700

please provide the netmask for every address you are mentioning.
There is a basic routing problem in your configuration. if you have
the cable modem router with you, it generally has nat funtion
built-in. You dont need a seperate NAT rule.

cheers

srihari

j@jensen-net.org (dkjkj) wrote in message news:<748f38c5.0309281853.4da40d34@posting.google.com>...
> andi_home@cbn.at (schiefiix) wrote in message news:<6baa75c6.0309252335.610ce916@posting.google.com>...
> > hey,
> >
> > yes, i already tried severaly nat configs, with no effect at all.
> > does your pix its job already?
> >
> > thx for help!
> > andi
> >
> > cmdrsalamander@hotmail.com (CmdrSalmanader) wrote in message news:<73600bc9.0309251325.25998511@posting.google.com>...
> > > Andi,
> > >
> > > I'm having a similar problem. Without being an expert, I would
> > > swear that it was the global and nat entries. As you have set it, you
> > > are telling the pix that your outer address range is .1-.50. I don't
> > > think it is for you. I think your outer address range is only .147.
> > > try "global (outside) 1 192.168.123.147 netmask 255.255.255.255" or
> > > something to this effect whereby you are nat'ting at the firewall.
> > >
> > > Best of luck
> > > Salman
> > >
> > >
> > >
> > > andi_home@cbn.at (schiefiix) wrote in message news:<6baa75c6.0309250541.1189a504@posting.google.com>...
> > > > hi!
> > > >
> > > > i have several problems configuring my cisco pix 501. i know i am a
> > > > newbie,..
> ...
> > > > global (outside) 1 192.168.123.1-192.168.123.50 netmask 255.255.255.0
> > > > global (outside) 1 interface
> > > > global (outside) 1 192.168.123.147
> > > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > > > access-group outside_access_in in interface outside
> > > > access-group inside_access_in in interface inside
> > > > route outside 0.0.0.0 0.0.0.0 192.168.123.254 1
>
> Hi,
>
> I'm also new to the PIX firewalls, but after reading a book "Cisco PIX
> firewalls" by Osborne, I got my PIC to work almost flawless for the
> basic stuff. If you only have one public IP address you need to use
> the PAT feature of the PIX:
> global (outside) 1 interface
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>
> Another advice that brought me from deep frustration to almost like
> Cisco was switching from the PDM to the serial interface. When you
> reset the router back to basic it will prompt you to setup the basic
> stuff for the firewall. Then from there on it is pretty easy to setup
> the rest so that you have a working firewall.
>
> My basic setup is 1 public IP assigned from my ISP thru DHCP.
>
> Here is my current configuration, I know of one problem and that is
> pinging a outside device does not work, but that is "just" until I get
> the icmp setup correct.
>
> PIX Version 6.3(1)
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password xxxxxx
> passwd xxxxx
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> names
> object-group icmp-type icmp_trafic
> icmp-object echo-reply
> icmp-object source-quench
> icmp-object unreachable
> icmp-object time-exceeded
> access-list PERMIT_IN deny tcp any any
> access-list PERMIT_IN deny ip any any
> access-list PERMIT_IN deny udp any any
> access-list PERMIT_IN permit icmp any any object-group icmp_trafic
> access-list PERMIT_OUT permit tcp any any
> access-list PERMIT_OUT permit ip any any
> access-list PERMIT_OUT permit udp any any
> access-list PERMIT_OUT permit icmp any any
> pager lines 24
> logging on
> logging timestamp
> logging buffered debugging
> icmp permit any echo-reply outside
> icmp permit any information-reply outside
> icmp permit any mask-reply outside
> icmp permit any parameter-problem outside
> icmp permit any source-quench outside
> icmp permit any time-exceeded outside
> icmp permit any timestamp-reply outside
> icmp permit any unreachable outside
> icmp deny any outside
> mtu outside 1500
> mtu inside 1500
> ip address outside dhcp setroute retry 9
> ip address inside 192.168.195.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> access-group PERMIT_IN in interface outside
> access-group PERMIT_OUT in interface inside
> rip outside passive version 2
> rip inside default version 2
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> http server enable
> http 192.168.0.0 255.255.0.0 inside
> http 192.168.195.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> telnet 192.168.0.0 255.255.0.0 inside
> telnet 192.168.195.0 255.255.255.0 inside
> telnet timeout 10
> ssh timeout 5
> console timeout 0

---

• Next message: Simon: "Re: 3Com Superstack Firewall/VPN - would you recommend it or not"
• Previous message: paul blitz: "Re: newbie firewall question"
• In reply to: dkjkj: "Re: newbie cisco pix 501 config problem"
• Next in thread: schiefiix: "Re: newbie cisco pix 501 config problem"
• Reply: schiefiix: "Re: newbie cisco pix 501 config problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: restore factory defaults ... To reset the PIX Firewall to factory default, log into the PIX, erase ... Password Recovery and AAA Configuration Recovery Procedure for the PIX ... fixup protocol http 80 ... (comp.dcom.sys.cisco) Re: newbie cisco pix 501 config problem ... I'm also new to the PIX firewalls, but after reading a book "Cisco PIX ... fixup protocol h323 h225 1720 ... icmp permit any information-reply outside ... access-group PERMIT_IN in interface outside ... (comp.security.firewalls) Re: [fw-wiz] PIX 501 inbound NAT problem ... I could be wrong (quite new to PIX but I've got my 515E working!), ... > no fixup protocol http 80 ... > logging buffered debugging ... > icmp permit any echo-reply outside ... (Firewall-Wizards) Re: PIX501 NAT Problem ... The NAT configuration looks fine at the first glance. ... You cannot ping beacuse these are ICMP messages and the reply has nothing to ... > I used several basic configurations for NAT for the PIX 501. ... > fixup protocol http 80 ... (comp.security.firewalls) NAT problems with PIX 501 ... interface ethernet1 100full ... fixup protocol dns maximum-length 512 ... icmp permit any echo-reply outside ... access-group outside_access_in in interface outside ... (comp.security.firewalls)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.firewalls  > 2003-09