PIX 501 - problem

In article , Robert wrote: :I am trying to configure PIX 1st time in my life.

:Datacenter send to us

:set WAN port on Your PIX firewall :90.90.66.239 - 255.255.255.4 :dafault gateway 90.90.66.1

Perhaps you have made a typo there? A netmask ending in .4 is

*highly* uncommon. It would indicate that the 3rd last bit must be the same for all hosts in the subnet, but .239 is 0xef and .1 is 0x01 which clearly have different values for the 3rd last bit.

The only CIDR netmask that would fit the WAN IP and the gateway would be

255.255.255.0 .

:lan port on your firewall :90.90.67.112 255.255.255.248 :Your default gateway (lan) will be 90.90.67.112

:In my opinion there is something wrong (90.90.67.112 is the network adress :we have arange of IP's 112 to 119 - 119 is broadcast address)

You are correct about that. Try 90.90.67.113 as the inside IP and default gateway.

:people have to ping me and i will have to ping them

:PIX Version 6.3(4)

:ip address outside 90.90.66.239 255.255.254.0 :ip address inside 90.90.67.112 255.255.255.248

Here you show the outside netmask as 255.255.254.0, but if that were the case then the outside range would be 90.90.66.0 thru

90.90.67.255 which would overlap the inside IP range.

:global (outside) 1 interface :nat (inside) 1 0.0.0.0 0.0.0.0 0 0 :route outside 0.0.0.0 0.0.0.0 90.90.66.1 1

:what is wrong

Beyond the IP range issues:

Once the IPs are repaired, then in the configuration you have now, anyone would be able to ping your outside IP and get a reply, but no-one would be able to ping any of your inside hosts.

As configured, it isn't just ICMP Echo packets that the PIX will respond to: it will also potentially respond to Source Quench and Redirects and other ICMP you don't really want through.

To control which icmp the PIX itself responds to, use the 'icmp' configuration command.

ok my mistake datacentre WAN IP 90.90.66.239 mask 255.255.254.0 gateway 90.90.66.1

LAN IP 90.90.67.112 mask 255.255.255.248

Problem is - i did try to set ip address outside 90.90.66.239 - 255.255.254.0 ip address inside 90.90.67.113, 255.255.255.248

i could ping outside 11.12.13.14(whole world) but i could not to ping inside 11.12.13.14

at the moment i want to have internet access later i will try to do something with IMCP

i will want to have www.server on 115, mail on 116 etc (or similar) i will have to permit for examople www to 115 and for example SMTP to 118

configuration should look like ?

interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xxxxxxxxxxxxxxxxxxxxxxx encrypted passwd xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx encrypted hostname ABCABC domain-name ABCABC.com ip address outside 90.90.66.239 255.255.254.0 ip address inside 90.90.67.113 255.255.255.248 ip audit info action alarm ip audit attack action alarm nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 90.90.66.1 1 http server enable http 90.90.67.113 255.255.255.248 inside

on my test laptop if i will have IP settings like

90.90.67.115 255.255.255.248 90.90.67.113 (default gateway) should be OK ?

In article , Robert wrote: :ok my mistake :datacentre :WAN :IP 90.90.66.239 :mask 255.255.254.0 :gateway 90.90.66.1

:LAN :IP 90.90.67.112 :mask 255.255.255.248

As indicated before, those ranges overlap and so may not be used together.

:Problem is - i did try to set :ip address outside 90.90.66.239 - 255.255.254.0 :ip address inside 90.90.67.113, 255.255.255.248

:i could :ping outside 11.12.13.14(whole world) :but i could not to :ping inside 11.12.13.14

I'm not quite clear on what you were trying there? From the PIX CLI, ping inside can only be used to ping inside hosts.

:at the moment i want to have internet access :later i will try to do something with IMCP

:i will want to have www.server on 115, mail on 116 etc (or similar) :i will have to permit for examople www to 115 and for example SMTP to 118

static (inside,outside) 90.90.67.115 90.90.67.115 netmask 255.255.255.255 static (inside,outside) 90.90.67.118 90.90.67.118 netmask 255.255.255.255

access-list out2in permit tcp any host 90.90.67.115 eq www access-list out2in permit tcp any host 90.90.67.118 eq smtp

access-group out2in in interface outside

i will try tommorow and i will let You know

Thank You for You help

Regards Robert

i can not have internet access

i set up my firewall i connected my laptop (90.90.67.114, 255.255.255.248, default gateway

90.90.67.113 -my PIX) i can not have internet access :( i ca not even ping outside interface on pix

this is my configuration Building configuration... : Saved : PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 ip address outside 90.90.66.239 255.255.254.0 ip address inside 90.90.67.113 255.255.255.248 ip audit info action alarm ip audit attack action alarm pdm location 90.90.67.114 255.255.255.255 inside pdm location 90.90.67.115 255.255.255.255 inside pdm location 90.90.67.116 255.255.255.255 inside pdm location 90.90.67.117 255.255.255.255 inside pdm location 90.90.67.118 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 nat (inside) 0 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 90.90.67.114 90.90.67.114 netmask 255.255.255.255 0

0 static (inside,outside) 90.90.67.115 90.90.67.114 netmask 255.255.255.255 0 0 static (inside,outside) 90.90.67.116 90.90.67.114 netmask 255.255.255.255 0 0 static (inside,outside) 90.90.67.117 90.90.67.114 netmask 255.255.255.255 0 0 static (inside,outside) 90.90.67.118 90.90.67.114 netmask 255.255.255.255 0 0 route outside 0.0.0.0 0.0.0.0 90.90.66.1 1 access-list out2in permit tcp any host 90.90.67.116 eq dns access-list out2in permit tcp any host 90.90.67.118 eq www access-list out2in permit tcp any host 90.90.67.118 eq smtp access-group out2in in interface outside http server enable http 90.90.66.0 255.255.254.0 outside : end [OK]

In article , Robert wrote: :i can not have internet access

:i set up my firewall :i connected my laptop (90.90.67.114, 255.255.255.248, default gateway :90.90.67.113 -my PIX) :i can not have internet access :( :i ca not even ping outside interface on pix

You can't ping the outside interface of your PIX from inside the PIX. The PIX only allows you to ping the "closest" interface [except under a narrow VPN case.]

:this is my configuration

;ip address outside 90.90.66.239 255.255.254.0 ;ip address inside 90.90.67.113 255.255.255.248

Your inside and outside IP addresses still overlap. Until that is fixed, we cannot really be of very much assistance.

You cannot static different IPs to the same IP. This second line should probably be something like,

static (inside,outside) 90.90.67.115 90.90.67.115 netmask 255.255.255.255 0 0

wrong wesion i was preparing and it was temporary config file

Building configuration... : Saved : PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 ip address outside 90.90.66.239 255.255.254.0 ip address inside 90.90.67.113 255.255.255.248 ip audit info action alarm ip audit attack action alarm pdm location 90.90.67.114 255.255.255.255 inside pdm location 90.90.67.115 255.255.255.255 inside pdm location 90.90.67.116 255.255.255.255 inside pdm location 90.90.67.117 255.255.255.255 inside pdm location 90.90.67.118 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 nat (inside) 0 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 90.90.67.114 90.90.67.114 netmask 255.255.255.255 0

0 static (inside,outside) 90.90.67.115 90.90.67.115 netmask 255.255.255.255 0 0 static (inside,outside) 90.90.67.116 90.90.67.116 netmask 255.255.255.255 0 0 static (inside,outside) 90.90.67.117 90.90.67.117 netmask 255.255.255.255 0 0 static (inside,outside) 90.90.67.118 90.90.67.118 netmask 255.255.255.255 0 0 route outside 0.0.0.0 0.0.0.0 90.90.66.1 1 access-list out2in permit tcp any host 90.90.67.116 eq dns access-list out2in permit tcp any host 90.90.67.118 eq www access-list out2in permit tcp any host 90.90.67.118 eq smtp access-group out2in in interface outside http server enable http 90.90.66.0 255.255.254.0 outside : end [OK]

this is from my PIX

what i have to do to have internet ?

i spent a looooooooooot od hours and nothing

show route

outside 0.0.0.0 0.0.0.0 90.90.66.1 1 OTHER static

outside 90.90.66.0 255.255.254.0 90.90.66.239 1 CONNECT static

inside 90.90.67.112 255.255.255.248 90.90.67.113 1 CONNECT static

pixfirewall#

In article , Robert wrote: :wrong wesion :i was preparing and it was temporary config file

:ip address outside 90.90.66.239 255.255.254.0 :ip address inside 90.90.67.113 255.255.255.248

:this is from my PIX :what i have to do to have internet ? :i spent a looooooooooot od hours and nothing

The PIX does not define what happens if you have overlapping interface IP ranges -- or rather, the documentation defines it as being illegal. Whether it works in practice or not is a different question.

In the meantime, I suggest that you explore the "debug packet" and "capture" commands.

:The PIX does not define what happens if you have overlapping :interface IP ranges -- or rather, the documentation defines it :as being illegal.

Note Each interface IP address must be unique and not on the same network as any other interface on the firewall.

Thias is my configuration How can i have access to web PDM (if for example my ip is 12.13.14.15) (is this correct pdm location pdm location 12.13.14.15 255.255.255.255 outside http 12.13.14.15 255.255.255.255 outside)

: Saved : PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names object-group service tcp_114 tcp description tcp portts for server on address 90.90.67.114 port-object eq 1433 port-object eq www port-object eq 3389 port-object eq 4899 port-object eq domain port-object eq https port-object eq smtp object-group service udp_114 udp description udp ports for server at 90.90.67.114 port-object eq domain object-group service tcp_115 tcp description TCP ports for server at 90.90.67.115 port-object eq 8080 port-object eq www port-object eq ftp-data port-object eq ssh port-object eq ftp port-object eq exec port-object eq telnet port-object eq cmd object-group service udp_115 udp description TCP ports for server at 90.90.67.115 port-object eq 8080 port-object eq www port-object eq ftp-data port-object eq ssh port-object eq ftp port-object eq exec port-object eq telnet port-object eq cmd object-group service udp_115 udp description UDP ports for server 90.90.67.115 port-object eq 117 port-object eq domain access-list outside_access_in permit icmp any any log access-list outside_access_in permit tcp any host 90.90.67.114 object-group tcp_114 access-list outside_access_in permit udp any host 90.90.67.114 object-group udp_114 access-list outside_access_in permit tcp any host 90.90.67.115 object-group tcp_115 access-list outside_access_in permit udp any host 90.90.67.115 object-group udp_115 pager lines 24 logging on logging console informational icmp permit any outside icmp permit any echo-reply outside icmp permit any router-solicitation outside icmp permit any inside mtu outside 1500 mtu inside 1500 ip address outside 90.90.66.239 255.255.254.0 ip address inside 90.90.67.113 255.255.255.248 ip audit info action alarm ip audit attack action alarm pdm location 90.90.67.114 255.255.255.255 inside pdm location 90.90.67.117 255.255.255.255 inside pdm location 90.90.67.115 255.255.255.255 inside pdm location 90.90.67.116 255.255.255.255 inside pdm location 90.90.67.118 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 100 interface nat (inside) 0 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 90.90.67.114 90.90.67.114 netmask 255.255.255.255 0

0 static (inside,outside) 90.90.67.115 90.90.67.115 netmask 255.255.255.255 0 0 static (inside,outside) 90.90.67.116 90.90.67.116 netmask 255.255.255.255 0 0 static (inside,outside) 90.90.67.117 90.90.67.117 netmask 255.255.255.255 0 0 static (inside,outside) 90.90.67.118 90.90.67.118 netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 90.90.66.1 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication ssh console LOCAL http server enable http 90.90.67.112 255.255.255.248 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh 90.90.66.239 255.255.255.255 outside ssh 0.0.0.0 0.0.0.0 outside ssh 90.90.67.112 255.255.255.248 inside ssh timeout 5 console timeout 0 terminal width 80 : end

:Thias is my configuration :How can i have access to web PDM (if for example my ip is 12.13.14.15) :(is this correct pdm location :pdm location 12.13.14.15 255.255.255.255 outside

No, the 'pdm location' command does not control which hosts can access.

:http 12.13.14.15 255.255.255.255 outside)

Yes.

:http server enable

Yes, that too.