New to Cisco

Can you get on a console? Enable SSH or Telnet on the inside interface and login to the device. Do you have an IP address for the outside interface or will it be dynamic? Post a cleansed version of your "show run" output and we can help.

ASDM is pretty hard to describe, better to see the configuration in the console and in my view it is clearer once you get the hang of it. Use ADSM for viewing stats and VPN connections and CPU useage, not configuration (at least at first).

My 2cents.

Some examples:

NAT will use the outside IP:

global (outside) 1 interface

PAT (Port Address Translation) uses the outside interface:

static (inside,outside) tcp interface smtp 192.168.168.5 smtp netmask

255.255.255.255 static (inside,outside) tcp interface 5900 192.168.168.5 5900 netmask 255.255.255.255 static (inside,outside) tcp interface www 192.168.168.5 www netmask 255.255.255.255

Then we permit these ports via an access-list:

access-list your-list-in permit tcp any interface outside eq smtp access-list your-list-in permit tcp any interface outside eq 5900 access-list your-list-in permit tcp any interface outside eq www

access-group your-list-in in interface outside

On the VPN, I strongly suggest using the Cisco VPN (comes with your PIX unlimited clients) as it is very easy to deploy and connects very quickly.

Some examples:

NAT will use the outside IP:

global (outside) 1 interface

PAT (Port Address Translation) uses the outside interface:

static (inside,outside) tcp interface smtp 192.168.168.5 smtp netmask

255.255.255.255 static (inside,outside) tcp interface 5900 192.168.168.5 5900 netmask 255.255.255.255 static (inside,outside) tcp interface www 192.168.168.5 www netmask 255.255.255.255

Then we permit these ports via an access-list:

access-list your-list-in permit tcp any interface outside eq smtp access-list your-list-in permit tcp any interface outside eq 5900 access-list your-list-in permit tcp any interface outside eq www

access-group your-list-in in interface outside

On Nov 7, 3:08 am, Shawn Westerhoff wrote:

Thanks for the response. I have set the external ip and internal ip both are static. I have telnet enabled and used it to enable the interfaces and a few policies......

This is the current config:

: Saved : PIX Version 8.0(2) ! hostname domain-name enable password encrypted names name ! interface Ethernet0 nameif outside security-level 0 ip address ip cleaned 255.255.255.240 ospf cost 10 ! interface Ethernet1 nameif inside security-level 100 ip address ip cleaned 255.255.255.0 ospf cost 10 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! interface Ethernet3 shutdown no nameif no security-level no ip address ! passwd IGt/YV.MXoTSVYGO encrypted ftp mode passive clock timezone MST -7 clock summer-time MDT recurring dns server-group DefaultDNS domain-name cleaned access-list inside_nat0_outbound extended permit ip any 10.0.1.192

255.255.255.192 access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.1.192 255.255.255.192 access-list inside_nat0_outbound extended permit ip host cleaned any access-list outside_1_cryptomap extended permit ip host cleaned any access-list outside_access_in extended permit tcp any eq www host cleaned eq www access-list outside_access_in_1 extended permit ip any host cleaned pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 ip local pool cleaned mask 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image flash:/asdm-602.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,inside) cleaned cleaned netmask 255.255.255.255 access-group outside_access_in_1 in interface outside route outside 0.0.0.0 0.0.0.0 12.190.141.209 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius http server enable http 10.0.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP- AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP- DES-MD5 TRANS_ESP_3DES_SHA crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 202.58.134.102 crypto map outside_map 1 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map inside_map interface inside crypto isakmp enable outside crypto isakmp enable inside crypto isakmp policy 10 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 50 authentication pre-share encryption 3des hash md5 group 1 lifetime 86400 no crypto isakmp nat-traversal telnet 10.0.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside threat-detection basic-threat threat-detection statistics ! class-map class_sip_udp match port udp eq sip class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect rsh inspect rtsp inspect skinny inspect sqlnet inspect tftp class class_sip_udp inspect sip ! service-policy global_policy global group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes dns-server value 10.0.1.3 10.0.1.3 vpn-tunnel-protocol l2tp-ipsec default-domain value cleaned group-policy MSI internal group-policy MSI attributes dns-server value cleaned cleaned vpn-tunnel-protocol l2tp-ipsec default-domain value cleaned username cleaned password DcCQs5C1bsormATL6ekOYw== nt-encrypted privilege 0 username cleaned attributes vpn-group-policy MSI tunnel-group DefaultRAGroup general-attributes address-pool MSI default-group-policy DefaultRAGroup tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * tunnel-group WNS type ipsec-l2l tunnel-group WNS ipsec-attributes pre-shared-key * tunnel-group MSI type remote-access tunnel-group MSI general-attributes address-pool MSI default-group-policy MSI prompt hostname context Cryptochecksum:4a7f6c9d832d7b62a55abf5a49db9747 : end asdm image flash:/asdm-602.bin no asdm history enable

The config looks like it should work for NAT and the www but I can't get it to connect. If I can get the NAT for www I think I can handle the rest pretty well. I have most of my experience with watch guard products which aren't the best but are pretty easy to configure. Although I can use the Cisco remote VPN client I would rather not because I installed it and it conflicts with another VPN client I use. So if there's a way to use the MS VPN client that would be cool.

Thanks again -

access-list outside_access_in_1 permit tcp any host eq www

static (inside,outside) tcp www www netmask 255.255.255.255

Thanks I added those items to the config and wrote it to the memory. I still do not get our site when I open the external ip address on port 80.

So I have access-list outside_access_in extended permit tcp any eq www host

10.0.1.200 eq www access-list outside_access_in_1 extended permit ip any host 10.0.1.200 access-list outside_access_in_1 extended permit tcp any host (external ip) eq www

and

static (inside,outside) tcp our (external ip) www 10.0.1.200 www netmask 255.255.255.255

But no site. Any thing I have wrong here? Thanks so much again.

Thanks I added those items to the config and wrote it to the memory. I still do not get our site when I open the external ip address on port 80.

So I have access-list outside_access_in extended permit tcp any eq www host

10.0.1.200 eq www access-list outside_access_in_1 extended permit ip any host 10.0.1.200 access-list outside_access_in_1 extended permit tcp any host (external ip) eq www

and

static (inside,outside) tcp our (external ip) www 10.0.1.200 www netmask 255.255.255.255

But no site. Any thing I have wrong here? Thanks so much again.

You need to remove the first 2 entries:

This is the current config: access-list outside_access_in_1 extended permit tcp any host

12.190.141.214 eq www access-list your-list-in extended permit tcp any interface outside eq www

static (inside,outside) tcp 12.190.141.214 www 10.0.1.200 www netmask

255.255.255.255

I got rid of the other items. I still can't get into our web server.

thanks -

This is the current config: access-list outside_access_in_1 extended permit tcp any host

12.190.141.214 eq www access-list your-list-in extended permit tcp any interface outside eq www

static (inside,outside) tcp 12.190.141.214 www 10.0.1.200 www netmask

255.255.255.255

I got rid of the other items. I still can't get into our web server.

thanks -

This is the current config: access-list outside_access_in_1 extended permit tcp any host

12.190.141.214 eq www access-list your-list-in extended permit tcp any interface outside eq www

static (inside,outside) tcp 12.190.141.214 www 10.0.1.200 www netmask

255.255.255.255

I got rid of the other items. I still can't get into our web server.

thanks -

This is the current config: access-list outside_access_in_1 extended permit tcp any host

12.190.141.214 eq www access-list your-list-in extended permit tcp any interface outside eq www

static (inside,outside) tcp 12.190.141.214 www 10.0.1.200 www netmask

255.255.255.255

I got rid of the other items. I still can't get into our web server.

thanks -

This is the current config: access-list outside_access_in_1 extended permit tcp any host

12.190.141.214 eq www access-list your-list-in extended permit tcp any interface outside eq www

static (inside,outside) tcp 12.190.141.214 www 10.0.1.200 www netmask

255.255.255.255

I got rid of the other items. I still can't get into our web server.

thanks -

Thanks I removed those settings now we have:

access-list outside_access_in_1 extended permit tcp any host

12.190.141.214 eq www access-list your-list-in extended permit tcp any interface outside eq www

and nat:

static (inside,outside) tcp 12.190.141.214 www 10.0.1.200 www netmask

255.255.255.255

I am still unable to get into our server via web.

thanks -

Try a clear xlate command.

Also repost the current ACL list, static list, and access-group such as:

What is the inside_nat0_outbound ACL used for, do you have VPN's in use currently? Please describe your topology a bit more....

access-list inside_nat0_outbound extended permit ip any 10.0.1.192

255.255.255.192 access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.1.192 255.255.255.192 access-list inside_nat0_outbound extended permit ip any 10.0.1.224 255.255.255.252 access-list outside_access_in_1 extended permit tcp any host 12.190.141.214 eq www access-list your-list-in extended permit tcp any interface outside eq www

static (inside,outside) tcp 12.190.141.214 www 10.0.1.200 www netmask

255.255.255.255 static (inside,outside) tcp interface smtp 12.190.141.214 smtp netmask 255.255.255.255

access-group outside_access_in_1 in interface outside

I ran that command as well. Thanks a bunch again-

Ken,

Why do you have the statement :

access-list inside_nat0_outbound extended permit IP any 10.0.1.192

255.255.255.252 ?

Those ACL's will bypass NAT and could be the source of your problem.

Also why are you trying to subnet your /24 subnet in half? it appears you want 10.0.1.1 through 10.0.1.192 to bypass NAT completely making any hosts in those range unable to access the internet. As well as

10.0.1.224 through 10.0.1.254? Sorry I am a bit confused...

We currently have a watch guard product that we are trying to move to PIX I have two vpns that I need to set up on the PIX as well as remote access for a couple users (see posts above).

Right now I have the 1st of two VPN's set up. And I tried to configure the remote access VPN's but they are not working either.

The network topology is pretty basic. An internal network with a web server and a couple other servers. One of the VPN's is used daily the other one is a remote office and is only used from time to time. That's about it.