Sign in with
Sign up | Sign in
Your question

Cisco PIX 515E question

Last response: in Networking
Share
March 2, 2009 8:06:25 PM

I'm having some troubles setting up a new firewall. (I'm new to firewalls)I've got the unit up with configured IP addresses on inside and outside. Downloaded and installed ASDM software. I can't seem to get it to pass traffic.
The unit is being used to secure one network from the rest of our company network.
Inside interface is 10.50.241.1/24
The PIX will be the gateway on this network.
Outside interface is 10.48.16.2/20
Gateway on the outside network is a Cisco 6500 MSFC 10.48.16.10 which connects to the rest of the company.

Thanks, Dave

I have included a show run:

PIX Version 7.2(2)
!
hostname pixfirewall
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
name 10.48.0.0 GAC
name 10.48.16.0 Plant
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address 10.48.16.2 255.255.240.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.50.241.1 255.255.255.0
!
interface Ethernet2
shutdown
nameif intf2
security-level 4
no ip address
!
passwd 0aywtm/YUv1U3jNB encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit ip 10.50.241.0 255.255.255.0 any
access-list inside_access_in extended permit icmp 10.50.241.0 255.255.255.0 any
access-list outside_access_in extended permit icmp Plant 255.255.240.0 10.50.241.0 255.255.255.0
access-list outside_access_in extended permit icmp GAC 255.255.240.0 10.50.241.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu intf2 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image flash:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.48.16.10 1
!
router rip
version 2
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.50.241.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
telnet Plant 255.255.240.0 outside
telnet GAC 255.255.240.0 outside
telnet 10.50.241.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
dhcpd dns 10.50.1.46 171.74.105.58
dhcpd wins 171.74.162.21 171.74.105.58
dhcpd ping_timeout 750
dhcpd auto_config outside
!
dhcpd address 10.50.241.101-10.50.241.199 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:D 8ad1ad3a52aec150a71ccd959a2681a
: end
asdm image flash:/asdm-524.bin
asdm location GAC 255.255.240.0 inside
asdm history enable

June 12, 2009 8:05:38 PM

There may be more but your biggest issue is this.

!
nat (inside) 0 0.0.0.0 0.0.0.0
!

That is telling your firewall to NOT nat any traffic.
Enter this.
!
no nat (inside) 0 0.0.0.0 0.0.0.0
!
nat (inside) 1 0.0.0.0 0.0.0.0
!

That will let your (inside) traffic connect to anything accessable by the outside interface. With your current config nothing from outside can get inside.
!