PIX NAT problem

NewsGroups | Search | Tools

User Password

Lost Password?

alt.certification.cisco

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Yahoo!

Google

Windows Live

del.icio.us digg

digg

Netscape

Subject

Author

Date

PIX NAT problem

Song

10-19-2007

Re: PIX NAT problem

Brian V

10-19-2007

Song

Dan

Posted by Song on October 19, 2007, 5:54 pm

If you were Registered and logged in, you could reply and use other advanced thread options

Everything was working and all sudden, I can't brows Internet. Noticed that
workstations couldn't ping the PIX and the PIX couldn't ping the
workstations, but PIX can ping the world. I've looked at the config and the
NAT seems to be there. I even added access-list to permit any any with no
luck. Please help.

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *************** encrypted
passwd ************* encrypted
hostname MyHostName
domain-name mydomain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 66.192.47.114 Ans
access-list 160 permit ip 192.168.60.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 161 permit ip 192.168.60.0 255.255.255.0 192.168.61.0
255.255.255.0
access-list 100 permit ip 192.168.60.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 100 permit ip 192.168.60.0 255.255.255.0 192.168.61.0
255.255.255.0
access-list 100 permit ip 192.168.60.0 255.255.255.0 192.168.70.0
255.255.255.0
access-list outside_cryptomap_40 permit ip 192.168.60.0 255.255.255.0
192.168.70.0 255.255.255.0
pager lines 24
logging monitor informational
mtu outside 1500
mtu inside 1500
ip address outside 66.71.212.181 255.255.255.128
ip address inside 192.168.60.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.60.10 255.255.255.255 inside
pdm location 76.44.56.18 255.255.255.255 outside
pdm location 10.1.0.0 255.255.0.0 outside
pdm location 192.168.61.0 255.255.255.0 outside
pdm location 192.168.70.0 255.255.255.0 outside
pdm location Ans 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit ip any any
route outside 0.0.0.0 0.0.0.0 66.71.212.129 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 76.44.56.18 255.255.255.255 outside
http 192.168.60.10 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set franklin esp-3des esp-md5-hmac
crypto map myhostname 10 ipsec-isakmp
crypto map myhostname 10 match address 160
crypto map myhostname 10 set peer 70.150.159.18
crypto map myhostname 10 set transform-set franklin
crypto map myhostname 20 ipsec-isakmp
crypto map myhostname 20 match address 161
crypto map myhostname 20 set peer 65.41.70.144
crypto map myhostname 20 set transform-set franklin
crypto map myhostname 40 ipsec-isakmp
crypto map myhostname 40 match address outside_cryptomap_40
crypto map myhostname 40 set peer 72.16.95.115
crypto map myhostname 40 set transform-set franklin
crypto map myhostname interface outside
isakmp enable outside
isakmp key ******** address 76.44.56.18 netmask 255.255.255.240
isakmp key ******** address 78.122.41.115 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp key ******** address 66.72.44.144 netmask 255.255.255.128
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet Ans 255.255.255.255 outside
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:***********************
: end

Posted by Brian V on October 19, 2007, 7:21 pm

If you were Registered and logged in, you could reply and use other advanced thread options

> Everything was working and all sudden, I can't brows Internet. Noticed

> that workstations couldn't ping the PIX and the PIX couldn't ping the

> workstations, but PIX can ping the world. I've looked at the config and

> the NAT seems to be there. I even added access-list to permit any any

> with no luck. Please help.

> PIX Version 6.3(3)

> interface ethernet0 auto

> interface ethernet1 100full

> nameif ethernet0 outside security0

> nameif ethernet1 inside security100

> enable password *************** encrypted

> passwd ************* encrypted

> hostname MyHostName

> domain-name mydomain.com

> fixup protocol dns maximum-length 512

> fixup protocol ftp 21

> fixup protocol h323 h225 1720

> fixup protocol h323 ras 1718-1719

> fixup protocol http 80

> fixup protocol rsh 514

> fixup protocol rtsp 554

> fixup protocol sip 5060

> fixup protocol sip udp 5060

> fixup protocol skinny 2000

> fixup protocol smtp 25

> fixup protocol sqlnet 1521

> fixup protocol tftp 69

> names

> name 66.192.47.114 Ans

> access-list 160 permit ip 192.168.60.0 255.255.255.0 10.1.0.0 255.255.0.0

> access-list 161 permit ip 192.168.60.0 255.255.255.0 192.168.61.0

> 255.255.255.0

> access-list 100 permit ip 192.168.60.0 255.255.255.0 10.1.0.0 255.255.0.0

> access-list 100 permit ip 192.168.60.0 255.255.255.0 192.168.61.0

> 255.255.255.0

> access-list 100 permit ip 192.168.60.0 255.255.255.0 192.168.70.0

> 255.255.255.0

> access-list outside_cryptomap_40 permit ip 192.168.60.0 255.255.255.0

> 192.168.70.0 255.255.255.0

> pager lines 24

> logging monitor informational

> mtu outside 1500

> mtu inside 1500

> ip address outside 66.71.212.181 255.255.255.128

> ip address inside 192.168.60.1 255.255.255.0

> ip audit info action alarm

> ip audit attack action alarm

> pdm location 192.168.60.10 255.255.255.255 inside

> pdm location 76.44.56.18 255.255.255.255 outside

> pdm location 10.1.0.0 255.255.0.0 outside

> pdm location 192.168.61.0 255.255.255.0 outside

> pdm location 192.168.70.0 255.255.255.0 outside

> pdm location Ans 255.255.255.255 outside

> pdm logging informational 100

> pdm history enable

> arp timeout 14400

> global (outside) 1 interface

> nat (inside) 0 access-list 100

> nat (inside) 1 0.0.0.0 0.0.0.0 0 0

> conduit permit ip any any

> route outside 0.0.0.0 0.0.0.0 66.71.212.129 1

> timeout xlate 0:05:00

> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

> 1:00:00

> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

> timeout uauth 0:05:00 absolute

> aaa-server TACACS+ protocol tacacs+

> aaa-server RADIUS protocol radius

> aaa-server LOCAL protocol local

> http server enable

> http 76.44.56.18 255.255.255.255 outside

> http 192.168.60.10 255.255.255.255 inside

> no snmp-server location

> no snmp-server contact

> snmp-server community public

> no snmp-server enable traps

> floodguard enable

> sysopt connection permit-ipsec

> sysopt connection permit-pptp

> crypto ipsec transform-set franklin esp-3des esp-md5-hmac

> crypto map myhostname 10 ipsec-isakmp

> crypto map myhostname 10 match address 160

> crypto map myhostname 10 set peer 70.150.159.18

> crypto map myhostname 10 set transform-set franklin

> crypto map myhostname 20 ipsec-isakmp

> crypto map myhostname 20 match address 161

> crypto map myhostname 20 set peer 65.41.70.144

> crypto map myhostname 20 set transform-set franklin

> crypto map myhostname 40 ipsec-isakmp

> crypto map myhostname 40 match address outside_cryptomap_40

> crypto map myhostname 40 set peer 72.16.95.115

> crypto map myhostname 40 set transform-set franklin

> crypto map myhostname interface outside

> isakmp enable outside

> isakmp key ******** address 76.44.56.18 netmask 255.255.255.240

> isakmp key ******** address 78.122.41.115 netmask 255.255.255.255 no-xauth

> no-config-mode

> isakmp key ******** address 66.72.44.144 netmask 255.255.255.128

> isakmp identity address

> isakmp policy 10 authentication pre-share

> isakmp policy 10 encryption 3des

> isakmp policy 10 hash md5

> isakmp policy 10 group 2

> isakmp policy 10 lifetime 86400

> telnet Ans 255.255.255.255 outside

> telnet 0.0.0.0 0.0.0.0 outside

> telnet 0.0.0.0 0.0.0.0 inside

> telnet timeout 5

> ssh 0.0.0.0 0.0.0.0 outside

> ssh timeout 30

> management-access inside

> console timeout 0

> terminal width 80

> Cryptochecksum:***********************

> : end

Config looks just fine. Is it a 501? Could you be out of licenses? Post a
show xlate, show local host and show conn

Posted by Song on October 23, 2007, 2:39 pm

If you were Registered and logged in, you could reply and use other advanced thread options

> Config looks just fine. Is it a 501? Could you be out of licenses? Post a

> show xlate, show local host and show conn

License is ok, rest is empty. Cleared crypto seems to fix it...

Posted by Dan on October 26, 2007, 3:25 pm

If you were Registered and logged in, you could reply and use other advanced thread options

There may be a physical or logical break between the PIX and your LAN
switch. You may also try reloading it - if this fixes it consider
upgrading to 6.3.5.

Brian V wrote:

>> Everything was working and all sudden, I can't brows Internet.

>> Noticed that workstations couldn't ping the PIX and the PIX couldn't

>> ping the workstations, but PIX can ping the world. I've looked at the

>> config and the NAT seems to be there. I even added access-list to

>> permit any any with no luck. Please help.

>> PIX Version 6.3(3)

>> interface ethernet0 auto

>> interface ethernet1 100full

>> nameif ethernet0 outside security0

>> nameif ethernet1 inside security100

>> enable password *************** encrypted

>> passwd ************* encrypted

>> hostname MyHostName

>> domain-name mydomain.com

>> fixup protocol dns maximum-length 512

>> fixup protocol ftp 21

>> fixup protocol h323 h225 1720

>> fixup protocol h323 ras 1718-1719

>> fixup protocol http 80

>> fixup protocol rsh 514

>> fixup protocol rtsp 554

>> fixup protocol sip 5060

>> fixup protocol sip udp 5060

>> fixup protocol skinny 2000

>> fixup protocol smtp 25

>> fixup protocol sqlnet 1521

>> fixup protocol tftp 69

>> names

>> name 66.192.47.114 Ans

>> access-list 160 permit ip 192.168.60.0 255.255.255.0 10.1.0.0 255.255.0.0

>> access-list 161 permit ip 192.168.60.0 255.255.255.0 192.168.61.0

>> 255.255.255.0

>> access-list 100 permit ip 192.168.60.0 255.255.255.0 10.1.0.0 255.255.0.0

>> access-list 100 permit ip 192.168.60.0 255.255.255.0 192.168.61.0

>> 255.255.255.0

>> access-list 100 permit ip 192.168.60.0 255.255.255.0 192.168.70.0

>> 255.255.255.0

>> access-list outside_cryptomap_40 permit ip 192.168.60.0 255.255.255.0

>> 192.168.70.0 255.255.255.0

>> pager lines 24

>> logging monitor informational

>> mtu outside 1500

>> mtu inside 1500

>> ip address outside 66.71.212.181 255.255.255.128

>> ip address inside 192.168.60.1 255.255.255.0

>> ip audit info action alarm

>> ip audit attack action alarm

>> pdm location 192.168.60.10 255.255.255.255 inside

>> pdm location 76.44.56.18 255.255.255.255 outside

>> pdm location 10.1.0.0 255.255.0.0 outside

>> pdm location 192.168.61.0 255.255.255.0 outside

>> pdm location 192.168.70.0 255.255.255.0 outside

>> pdm location Ans 255.255.255.255 outside

>> pdm logging informational 100

>> pdm history enable

>> arp timeout 14400

>> global (outside) 1 interface

>> nat (inside) 0 access-list 100

>> nat (inside) 1 0.0.0.0 0.0.0.0 0 0

>> conduit permit ip any any

>> route outside 0.0.0.0 0.0.0.0 66.71.212.129 1

>> timeout xlate 0:05:00

>> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

>> 1:00:00

>> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

>> timeout uauth 0:05:00 absolute

>> aaa-server TACACS+ protocol tacacs+

>> aaa-server RADIUS protocol radius

>> aaa-server LOCAL protocol local

>> http server enable

>> http 76.44.56.18 255.255.255.255 outside

>> http 192.168.60.10 255.255.255.255 inside

>> no snmp-server location

>> no snmp-server contact

>> snmp-server community public

>> no snmp-server enable traps

>> floodguard enable

>> sysopt connection permit-ipsec

>> sysopt connection permit-pptp

>> crypto ipsec transform-set franklin esp-3des esp-md5-hmac

>> crypto map myhostname 10 ipsec-isakmp

>> crypto map myhostname 10 match address 160

>> crypto map myhostname 10 set peer 70.150.159.18

>> crypto map myhostname 10 set transform-set franklin

>> crypto map myhostname 20 ipsec-isakmp

>> crypto map myhostname 20 match address 161

>> crypto map myhostname 20 set peer 65.41.70.144

>> crypto map myhostname 20 set transform-set franklin

>> crypto map myhostname 40 ipsec-isakmp

>> crypto map myhostname 40 match address outside_cryptomap_40

>> crypto map myhostname 40 set peer 72.16.95.115

>> crypto map myhostname 40 set transform-set franklin

>> crypto map myhostname interface outside

>> isakmp enable outside

>> isakmp key ******** address 76.44.56.18 netmask 255.255.255.240

>> isakmp key ******** address 78.122.41.115 netmask 255.255.255.255

>> no-xauth no-config-mode

>> isakmp key ******** address 66.72.44.144 netmask 255.255.255.128

>> isakmp identity address

>> isakmp policy 10 authentication pre-share

>> isakmp policy 10 encryption 3des

>> isakmp policy 10 hash md5

>> isakmp policy 10 group 2

>> isakmp policy 10 lifetime 86400

>> telnet Ans 255.255.255.255 outside

>> telnet 0.0.0.0 0.0.0.0 outside

>> telnet 0.0.0.0 0.0.0.0 inside

>> telnet timeout 5

>> ssh 0.0.0.0 0.0.0.0 outside

>> ssh timeout 30

>> management-access inside

>> console timeout 0

>> terminal width 80

>> Cryptochecksum:***********************

>> : end

> Config looks just fine. Is it a 501? Could you be out of licenses? Post

> a show xlate, show local host and show conn

Similar Threads	Posted
Nat Problem ?	March 7, 2006, 7:36 am
problem with IOS	May 29, 2006, 12:42 pm
VPN problem	January 17, 2007, 3:36 am
FTP Problem Please Help	May 2, 2007, 4:10 pm
problem	August 13, 2007, 2:00 am
Problem with 2611XM	May 12, 2005, 12:35 am
Bootstrap problem	December 17, 2005, 1:27 pm
Problem with IPSEC VPN	January 22, 2006, 11:19 am
router problem	April 16, 2006, 3:12 pm
problem with igrp	November 10, 2006, 1:35 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com