1. Home
  2. Cisco Systems
  3. PIX 704 Connat pass traffix

PIX 704 Connat pass traffix

I have been testing the new PIX v7.04 software on a 515E and ran into something I cannot understand..

On v6.3.5 I can run through the PDM Startup Wizard and within a few clicks clients can surf the internet.

I tried entering the same values on 7.04 using the ASDM Startup Wizard and clients cannot surf.

I can ping the internet from the console session but not from any of the clients. From the internet I can also login to the PIX via ASDM. From the clients I can ping the pix, I can telnet to the pix, but I cannot surf or even ping an IP address on the internet.

I now realize it has something to do with PAT because I can make v7.04 work when I choose to use the outside interface for PAT however when I choose an IP address for PAT (from one of the 8 public IP's assigned to me by the ISP) it fails. This problem doesn't come up with 6.3.5. I also know this isn't a problem when I upgrade from v6.3.5 to v.04, (the commands are translated somehow to work with v7.04).

Below the v7.04 config you will find the v6.3.5 config which works.

Thanks for looking!

asdm image flash:/asdm504-2.bin no asdm history enable : Saved : PIX Version 7.0(4)3 ! hostname 515E704 domain-name cisco.local

enable password names ! interface Ethernet0 nameif outside security-level 0 ip address 251.251.30.72 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 10.5.1.10 255.255.0.0 ! interface Ethernet2 shutdown no nameif no security-level no ip address !

ftp mode passive access-list inside_access_in extended permit ip 10.5.0.0 255.255.0.0 any access-list outside_access_in extended permit icmp any 10.5.0.0 255.255.0.0 echo-reply pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 asdm image flash:/asdm504-2.bin no asdm history enable arp timeout 14400 global (outside) 10 251.251.30.79 nat (inside) 10 0.0.0.0 0.0.0.0 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 251.251.30.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http 0.0.0.0 0.0.0.0 inside http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 10.5.1.50-10.5.1.60 inside dhcpd dns 121.121.224.11 dhcpd lease 3600 dhcpd ping_timeout 50 dhcpd domain cisco.com dhcpd enable inside ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global Cryptochecksum:19bba0db828dbe484376dea273548a51 : end

Building configuration... : Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password encrypted passwd encrypted hostname p506e domain-name cisco.local fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list inside_access_in permit ip 10.5.0.0 255.255.0.0 any access-list outside_access_in permit icmp any any echo-reply pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 251.251.30.72 255.255.255.0 ip address inside 10.5.1.10 255.255.0.0 ip audit info action alarm ip audit attack action alarm pdm location 10.5.1.33 255.255.255.255 inside pdm history enable arp timeout 14400 global (outside) 10 251.251.30.79 nat (inside) 10 0.0.0.0 0.0.0.0 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 251.251.30.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 0.0.0.0 0.0.0.0 outside http 10.5.1.33 255.255.255.255 inside http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 10.5.1.50-10.5.1.75 inside dhcpd dns 121.121.224.11 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside terminal width 80 Cryptochecksum:a663ccb0ca07bd6c34ccb97367a014e6 : end [OK]
Reply to
you know who maybe
Loading thread data ...

Version 7.04 is ED. Unless you know PIX OS inside and out you should refrain from using ED versions OR there is a critical feature you need and you're willing to talk with TAC through problems.

GD is your friend.

Reply to
jdsal

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.