PIX NAT problem
 




IT Certification FAQ
 
|
Home
 |
Microsoft
 |
CISCO
 |
CompTIA
 |
Exam/Study FAQ
 |
Employment FAQ
 | Links  | Forums  |
Book Reviews


FAQFAQ  SearchSearch  MemberlistMemberlist  UsergroupsUsergroups  RegisterRegister  ProfileProfile  Log in to check your private messagesPrivate messages  Log inLog in

PIX NAT problem

 
Post new topic   Reply to topic    Forum Index -> alt.certification.cisco
Author Message
Song
Guest
PostPosted: Sat Oct 20, 2007 2:54 am    Post subject: PIX NAT problem Reply with quote
Everything was working and all sudden, I can't brows Internet. Noticed that
workstations couldn't ping the PIX and the PIX couldn't ping the
workstations, but PIX can ping the world. I've looked at the config and the
NAT seems to be there. I even added access-list to permit any any with no
luck. Please help.

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *************** encrypted
passwd ************* encrypted
hostname MyHostName
domain-name mydomain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 66.192.47.114 Ans
access-list 160 permit ip 192.168.60.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 161 permit ip 192.168.60.0 255.255.255.0 192.168.61.0
255.255.255.0
access-list 100 permit ip 192.168.60.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 100 permit ip 192.168.60.0 255.255.255.0 192.168.61.0
255.255.255.0
access-list 100 permit ip 192.168.60.0 255.255.255.0 192.168.70.0
255.255.255.0
access-list outside_cryptomap_40 permit ip 192.168.60.0 255.255.255.0
192.168.70.0 255.255.255.0
pager lines 24
logging monitor informational
mtu outside 1500
mtu inside 1500
ip address outside 66.71.212.181 255.255.255.128
ip address inside 192.168.60.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.60.10 255.255.255.255 inside
pdm location 76.44.56.18 255.255.255.255 outside
pdm location 10.1.0.0 255.255.0.0 outside
pdm location 192.168.61.0 255.255.255.0 outside
pdm location 192.168.70.0 255.255.255.0 outside
pdm location Ans 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit ip any any
route outside 0.0.0.0 0.0.0.0 66.71.212.129 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 76.44.56.18 255.255.255.255 outside
http 192.168.60.10 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set franklin esp-3des esp-md5-hmac
crypto map myhostname 10 ipsec-isakmp
crypto map myhostname 10 match address 160
crypto map myhostname 10 set peer 70.150.159.18
crypto map myhostname 10 set transform-set franklin
crypto map myhostname 20 ipsec-isakmp
crypto map myhostname 20 match address 161
crypto map myhostname 20 set peer 65.41.70.144
crypto map myhostname 20 set transform-set franklin
crypto map myhostname 40 ipsec-isakmp
crypto map myhostname 40 match address outside_cryptomap_40
crypto map myhostname 40 set peer 72.16.95.115
crypto map myhostname 40 set transform-set franklin
crypto map myhostname interface outside
isakmp enable outside
isakmp key ******** address 76.44.56.18 netmask 255.255.255.240
isakmp key ******** address 78.122.41.115 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp key ******** address 66.72.44.144 netmask 255.255.255.128
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet Ans 255.255.255.255 outside
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:***********************
: end
Back to top
Brian V
Guest
PostPosted: Sat Oct 20, 2007 4:21 am    Post subject: Re: PIX NAT problem Reply with quote
"Song" <song@isot.com> wrote in message
news:LqidnQ-maKYtuoTanZ2dnUVZ_qygnZ2d@isot.com...
Quote:
Everything was working and all sudden, I can't brows Internet. Noticed
that workstations couldn't ping the PIX and the PIX couldn't ping the
workstations, but PIX can ping the world. I've looked at the config and
the NAT seems to be there. I even added access-list to permit any any
with no luck. Please help.

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *************** encrypted
passwd ************* encrypted
hostname MyHostName
domain-name mydomain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 66.192.47.114 Ans
access-list 160 permit ip 192.168.60.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 161 permit ip 192.168.60.0 255.255.255.0 192.168.61.0
255.255.255.0
access-list 100 permit ip 192.168.60.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 100 permit ip 192.168.60.0 255.255.255.0 192.168.61.0
255.255.255.0
access-list 100 permit ip 192.168.60.0 255.255.255.0 192.168.70.0
255.255.255.0
access-list outside_cryptomap_40 permit ip 192.168.60.0 255.255.255.0
192.168.70.0 255.255.255.0
pager lines 24
logging monitor informational
mtu outside 1500
mtu inside 1500
ip address outside 66.71.212.181 255.255.255.128
ip address inside 192.168.60.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.60.10 255.255.255.255 inside
pdm location 76.44.56.18 255.255.255.255 outside
pdm location 10.1.0.0 255.255.0.0 outside
pdm location 192.168.61.0 255.255.255.0 outside
pdm location 192.168.70.0 255.255.255.0 outside
pdm location Ans 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit ip any any
route outside 0.0.0.0 0.0.0.0 66.71.212.129 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 76.44.56.18 255.255.255.255 outside
http 192.168.60.10 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set franklin esp-3des esp-md5-hmac
crypto map myhostname 10 ipsec-isakmp
crypto map myhostname 10 match address 160
crypto map myhostname 10 set peer 70.150.159.18
crypto map myhostname 10 set transform-set franklin
crypto map myhostname 20 ipsec-isakmp
crypto map myhostname 20 match address 161
crypto map myhostname 20 set peer 65.41.70.144
crypto map myhostname 20 set transform-set franklin
crypto map myhostname 40 ipsec-isakmp
crypto map myhostname 40 match address outside_cryptomap_40
crypto map myhostname 40 set peer 72.16.95.115
crypto map myhostname 40 set transform-set franklin
crypto map myhostname interface outside
isakmp enable outside
isakmp key ******** address 76.44.56.18 netmask 255.255.255.240
isakmp key ******** address 78.122.41.115 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp key ******** address 66.72.44.144 netmask 255.255.255.128
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet Ans 255.255.255.255 outside
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:***********************
: end



Config looks just fine. Is it a 501? Could you be out of licenses? Post a
show xlate, show local host and show conn
Back to top
Song
Guest
PostPosted: Tue Oct 23, 2007 11:39 pm    Post subject: Re: PIX NAT problem Reply with quote
Quote:
Config looks just fine. Is it a 501? Could you be out of licenses? Post a
show xlate, show local host and show conn

License is ok, rest is empty. Cleared crypto seems to fix it...
Back to top
Display posts from previous:   
Post new topic   Reply to topic    Forum Index -> alt.certification.cisco All times are GMT
Page 1 of 1

 

Copyright © 2002-2006 Web-S-Sense Pty. Ltd. All rights reserved.

Powered by phpBB
Advertising | Policies/Disclaimers | Contact us | Link to us

Featured Sites: Free Antivirus and Antispyware Info | Free PC Support | MCSE Directory