PIX issue after replacing new public IP addresses

We use windows 2000 server IAS as RADIUS in PIX setup to authenticate outbound HTTP access. After changing to the new public addresses in the following PIX configuration, we no longer get "HTTP authentication" windows to access the Internet. Attached below is the configuration information. Please advice if I missed something.

Assuming these are the new public IP addresses: ip: 1.2.3.4 ~ 8 gateway: 1.2.3.1 dns: 106.10.24.10, 206.13.29.12

I changed the following three lines to reflect the new ip addresses: ip address outside ... global (outside) ... route outside ...

PIX configuration -

PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname pixfirewall fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 names access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.11.0

255.255.255.0 access-list 110 deny tcp host 192.168.10.199 any eq smtp access-list 110 permit ip host 192.168.10.199 any access-list 110 deny udp host 192.168.10.11 any eq domain access-list 110 permit ip host 192.168.10.11 any access-list 110 deny udp host 192.168.10.12 any eq domain access-list 110 permit ip host 192.168.10.12 any access-list 110 permit ip host 192.168.10.13 any access-list 110 permit ip host 192.168.10.27 any access-list 110 permit ip host 192.168.10.16 any access-list 110 permit ip host 192.168.10.17 any access-list 110 permit ip host 192.168.10.200 any access-list 110 permit ip host 192.168.10.201 any access-list 110 deny udp any host 106.10.24.10 eq domain access-list 110 deny udp any host 206.13.29.12 eq domain access-list 111 permit tcp any any eq www access-list 111 permit tcp any any eq https access-list 111 permit udp any host 106.10.24.10 eq domain access-list 111 permit udp any host 206.13.29.12 eq domain access-list 112 permit tcp any any eq www access-list 112 permit tcp any any eq https access-list 112 permit udp any any eq 554 access-list 112 permit tcp any any eq 7070 access-list 112 permit tcp any any eq 8080 access-list 112 permit udp any any eq 1755 access-list 112 permit tcp any any eq 1755 access-list 112 permit tcp any any eq ssh access-list 112 permit udp any any eq pcanywhere-status access-list 112 permit tcp any any eq pcanywhere-data access-list 112 permit udp any any eq 1720 access-list 112 permit tcp any any eq 554 access-list 112 permit udp any host 106.10.24.10 eq domain access-list 112 permit udp any host 206.13.29.12 eq domain access-list 113 permit ip any any pager lines 24 logging on logging timestamp logging monitor informational logging buffered informational mtu outside 1500 mtu inside 1500 ip address outside 1.2.3.4 255.255.255.248 ip address inside 192.168.10.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpnpool 192.168.11.1-192.168.11.254 no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside arp timeout 14400 global (outside) 1 1.2.3.5 nat (inside) 0 access-list 101 nat (inside) 1 192.168.10.11 255.255.255.255 0 0 nat (inside) 1 192.168.10.12 255.255.255.255 0 0 nat (inside) 1 192.168.10.13 255.255.255.255 0 0 nat (inside) 1 192.168.10.14 255.255.255.255 0 0 nat (inside) 1 192.168.10.17 255.255.255.255 0 0 nat (inside) 1 192.168.10.27 255.255.255.255 0 0 nat (inside) 1 192.168.10.199 255.255.255.255 0 0 nat (inside) 1 192.168.10.200 255.255.255.255 0 0 nat (inside) 1 192.168.10.201 255.255.255.255 0 0 route outside 0.0.0.0 0.0.0.0 1.2.3.1 1 timeout xlate 12:00:01 timeout conn 12:00:00 half-closed 0:10:00 udp 0:05:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 12:00:00 absolute uauth 4:00:00 inactivity aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa-server AuthOutbound protocol radius aaa-server AuthOutbound (inside) host 192.168.10.12 xyzAuth timeout 3 aaa-server AuthOutbound (inside) host 192.168.10.11 xyzAuth timeout 3 aaa authentication match 110 inside AuthOutbound http server enable http 192.168.10.200 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps virtual http 192.168.100.1 floodguard enable sysopt connection permit-ipsec service resetinbound crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap interface outside console timeout 0 terminal width 80 : end
Reply to
jesk
Loading thread data ...

Probably not the cause of your problem but did you do a

clear xlate

after changing the IPs , to delete the existing and no more valid PAT entries.

Reply to
mcaissie

authenticate

authentication"

configuration

addresses: ip

Reply to
jesk

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.