Firewall Wizards mailing list archives
Re: Cisco PiX 501 running 6.2 - Defying me for no reason
From: "Kyle King" <KKing () Bankshill com>
Date: Mon, 15 Mar 2004 16:29:02 -0800
Can you send the configuration for your PIX? I think that would be more helpful in determining the problem. Of course, I would change all external addresses, just to be safe.
Note : Since I am a c++ programmer by training, and because i don't know the correct delimiter, all comments will be preceded by '//' nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xxx encrypted //password removed, even tho encrypted passwd xxx encrypted hostname pixfirewall //will be changed domain-name ciscopix.com //also will be changed fixup protocol ftp 21 //when I reset the firewall to factory standards, these are in place fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list acl_out permit icmp any any //just for debug purposes, will be taken out later access-list acl_in permit icmp any any pager lines 24 interface ethernet0 10baset interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside y.y.y.146 255.255.252.0 //address taken out, and final number changed ip address inside x.x.x.1 255.255.255.0 //address taken out, and final number changed ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface //PAT translate for all computers to outside line nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group acl_out in interface outside //used with the access-list command, to be taken out access-group acl_in in interface inside route outside 0.0.0.0 0.0.0.0 y.y.y.1 1 //this command actually fails when i use the startup wiz timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http x.x.x.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat telnet timeout 5 ssh timeout 5 dhcpd address x.x.x.11-x.x.x.30 inside //address hidden dhcpd lease 28800 //correct timeout, we wanted 8 hour time out dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside vpnclient vpngroup *********** password ******** //group and password removed vpnclient username ******* password ***** //user and password removed vpnclient server x.x.x.x //server removed - see note 2 below vpnclient mode client-mode terminal width 80 //vpnclient enable not turned on at this time Note 2 : we know we have the right information there because the VPN client we were going to use originally works when we place a computer on its own line without a firewall. I just transpose the group and group password fields from the client to the vpngroup command, and the user/password that comes up during connect, to the username command.
Also, do you have a Smartnet contract on your PIX?
Sadly no. Steve Fletcher
When I configure one of the computers with the appropriate information for
a
static IP, the computer connects to the internet fine (this is when not connected with the PiX between it). However, it requires that I supply the DNS servers. When I configure the PiX to access the internet using a
static
IP, no where do I find the command/option to input the DNS servers; and besides that, when I use static IP, the computers behind the firewall
cannot
access the internet.
This turned out to be an issue with our modem. It used MAC address's to assign static IPs, so when I transfered the static to the firewall, the modem did not like that. A modem reset fixed that issue. However, when I use the configuration I have shown above, I can only ping address's from both the firewall and PC. I cannot ping names, such as www.google.ca (which I use as my test page simply cause i know the address for it (66.102.7.104)). When I try to ping a name from the PC, it comes back as no such name exists, and I can't seem to make the firewall ping any name, possibly due to the way the ping command on the firewall works. Anyway, when I enable the VPN client, all access, including those pings, stops working. However, according to the little led on the front, I am connected to the VPN. I don't have access to anything on their end however. Well, there is the needed information. I hope it helps. Kyle King _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco PiX 501 running 6.2 - Defying me for no reason Kyle King (Mar 15)
- <Possible follow-ups>
- RE: Cisco PiX 501 running 6.2 - Defying me for no reason Crissup, John (MBNP is) (Mar 18)
- RE: Cisco PiX 501 running 6.2 - Defying me for no reason Steven A. Fletcher (Mar 18)
- Re: Cisco PiX 501 running 6.2 - Defying me for no reason Kyle King (Mar 18)
- RE: Cisco PiX 501 running 6.2 - Defying me for no reason Josh Welch (Mar 18)
- Re: Cisco PiX 501 running 6.2 - Defying me for no reason Kyle King (Mar 19)
- Re: Cisco PiX 501 running 6.2 - Defying me for no reason Kyle King (Mar 18)
- RE: Cisco PiX 501 running 6.2 - Defying me for no reason Steven A. Fletcher (Mar 18)