Re: Cisco PiX 501 running 6.2 - Defying me for no reason

["Kyle King" <KKing () Bankshill com>]

> Can you send the configuration for your PIX?  I think that would be more
> helpful in determining the problem.  Of course, I would change all
> external addresses, just to be safe.
Note : Since I am a c++ programmer by training, and because i don't know the
correct delimiter, all comments will be preceded by '//'

nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted //password removed, even tho encrypted
passwd xxx encrypted
hostname pixfirewall //will be changed
domain-name ciscopix.com //also will be changed
fixup protocol ftp 21 //when I reset the firewall to factory standards,
these are in place
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_out permit icmp any any //just for debug purposes, will be
taken out later
access-list acl_in permit icmp any any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside y.y.y.146 255.255.252.0 //address taken out, and final
number changed
ip address inside x.x.x.1 255.255.255.0 //address taken out, and final
number changed
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface //PAT translate for all computers to outside
line
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside //used with the access-list
command, to be taken out
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 y.y.y.1 1 //this command actually fails when i
use the startup wiz
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00
udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http x.x.x.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5 ssh timeout 5
dhcpd address x.x.x.11-x.x.x.30 inside //address hidden
dhcpd lease 28800 //correct timeout, we wanted 8 hour time out
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
vpnclient vpngroup *********** password ******** //group and password
removed
vpnclient username ******* password ***** //user and password removed
vpnclient server x.x.x.x //server removed - see note 2 below
vpnclient mode client-mode terminal width 80
//vpnclient enable not turned on at this time
Note 2 : we know we have the right information there because the VPN client
we were going to use originally works when we place a computer on its own
line without a firewall.  I just transpose the group and group password
fields from the client to the vpngroup command, and the user/password that
comes up during connect, to the username command.

> Also, do you have a Smartnet contract on your PIX?

Sadly no.

Steve Fletcher


> When I configure one of the computers with the appropriate information for
a
> static IP, the computer connects to the internet fine (this is when not
> connected with the PiX between it).  However, it requires that I supply the
> DNS servers.  When I configure the PiX to access the internet using a
static
> IP, no where do I find the command/option to input the DNS servers; and
> besides that, when I use static IP, the computers behind the firewall
cannot
> access the internet.

This turned out to be an issue with our modem.  It used MAC address's to
assign static IPs, so when I transfered the static to the firewall, the
modem did not like that.  A modem reset fixed that issue. However, when I
use the configuration I have shown above, I can only ping address's from
both the firewall and PC.  I cannot ping names, such as www.google.ca (which
I use as my test page simply cause i know the address for it
(66.102.7.104)).  When I try to ping a name from the PC, it comes back as no
such name exists, and I can't seem to make the firewall ping any name,
possibly due to the way the ping command on the firewall works.

Anyway, when I enable the VPN client, all access, including those pings,
stops working.  However, according to the little led on the front, I am
connected to the VPN.  I don't have access to anything on their end however.

Well, there is the needed information.  I hope it helps.

Kyle King


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards