IT Answers » PIX

PIX firewall internet problem

Uzairahmad — Sat, 23 Apr 2011 07:17:32 +0000

Hello
this is my pix firewall 515E configuration.

Password:
Type help or ‘?’ for a list of available commands.
pixfirewall> en
Password:
pixfirewall# show runn
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname pixfirewall
domain-name 192.168.0.230
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.144 xxx
name 192.168.0.8 xxx
name 192.168.0.11 xxx
name 192.168.0.37 xxx
name 192.168.0.41 xxx
name 192.168.0.32 xxx
object-group network net
access-list yyyyy permit ip any host 192.168.1.2
access-list yyyyy permit icmp any any
access-list yyyyy permit ip any host 192.168.0.236
access-list yyyyy permit ip any host 192.168.0.235
access-list yyyyy permit ip any host 192.168.0.230
access-list yyyyy permit ip any host 192.168.0.231
access-list yyyyy permit ip any host 192.168.0.118
access-list yyyyy permit ip any host 192.168.0.243
access-list yyyyy permit ip any host 192.168.0.121
access-list yyyyy permit ip any host 192.168.0.120
access-list yyyyy permit ip any host 192.168.0.141
access-list yyyyy permit ip any host 192.168.0.241
access-list yyyyy permit ip any host 192.168.0.242
access-list yyyyy permit ip any host 192.168.0.240
access-list yyyyy permit ip any host 192.168.0.200
access-list yyyyy permit ip any host 192.168.0.245
access-list yyyyy permit ip any host 192.168.0.4
access-list yyyyy permit ip any host 202.163.121.60
access-list yyyyy permit ip any host 202.163.121.61
access-list yyyyy permit ip any host 202.163.121.62
access-list internet deny tcp host 192.168.0.15 any eq www
access-list internet deny tcp host xxx any eq www
access-list internet deny tcp host 192.168.0.26 any eq www
access-list internet deny tcp host 192.168.0.27 any eq www
access-list internet deny tcp host xxx any eq www
access-list internet deny tcp host xxx any eq www
access-list internet deny tcp host 192.168.0.43 any eq www
access-list internet deny tcp host 192.168.0.44 any eq www
access-list internet deny tcp host 192.168.0.47 any eq www
access-list internet deny tcp host 192.168.0.48 any eq www
access-list internet deny tcp host 192.168.0.49 any eq www
access-list internet deny tcp host 192.168.0.50 any eq www
access-list internet deny tcp host 192.168.0.52 any eq www
access-list internet deny tcp host 192.168.0.53 any eq www
access-list internet deny tcp host 192.168.0.54 any eq www
access-list internet deny tcp host 192.168.0.55 any eq www
access-list internet deny tcp host 192.168.0.56 any eq www
access-list internet deny tcp host 192.168.0.57 any eq www
access-list internet deny tcp host 192.168.0.58 any eq www
access-list internet deny tcp host 192.168.0.72 any eq www
access-list internet deny tcp host 192.168.0.75 any eq www
access-list internet deny tcp host 192.168.0.76 any eq www
access-list internet deny tcp host 192.168.0.77 any eq www
access-list internet deny tcp host 192.168.0.78 any eq www
access-list internet deny tcp host 192.168.0.80 any eq www
access-list internet deny tcp host 192.168.0.81 any eq www
access-list internet deny tcp host 192.168.0.84 any eq www
access-list internet deny tcp host 192.168.0.85 any eq www
access-list internet deny tcp host 192.168.0.86 any eq www
access-list internet deny tcp host 192.168.0.87 any eq www
access-list internet deny tcp host 192.168.0.88 any eq www
access-list internet deny tcp host 192.168.0.46 any eq www
access-list internet deny tcp host 192.168.0.98 any eq www
access-list internet deny tcp host 192.168.0.74 any eq www
access-list internet deny tcp host 192.168.0.21 any eq www
access-list internet deny tcp host 192.168.0.23 any eq www
access-list internet deny tcp host 192.168.0.99 any eq www
access-list internet deny tcp host 192.168.0.100 any eq www
access-list internet deny tcp host 192.168.0.102 any eq www
access-list internet deny tcp host 192.168.0.104 any eq www
access-list internet deny tcp host 192.168.0.133 any eq www
access-list internet deny tcp host 192.168.0.134 any eq www
access-list internet deny tcp host 192.168.0.129 any eq www
access-list internet deny tcp host 192.168.0.132 any eq www
access-list internet deny tcp host 192.168.0.153 any eq www
access-list internet deny tcp host 192.168.0.154 any eq www
access-list internet deny tcp host 192.168.0.105 any eq www
access-list internet deny tcp host 192.168.0.59 any eq www
access-list internet deny tcp host 192.168.0.60 any eq www
access-list internet deny tcp host xxx any eq www
access-list internet deny tcp host xxx any eq www
access-list internet deny tcp host 192.168.0.12 any eq www
access-list internet deny tcp host 192.168.0.17 any eq www
access-list internet deny tcp host 192.168.0.24 any eq www
access-list internet deny tcp host 192.168.0.63 any eq www
access-list internet deny tcp host 192.168.0.65 any eq www
access-list internet deny tcp host 192.168.0.66 any eq www
access-list internet deny tcp host 192.168.0.67 any eq www
access-list internet deny tcp host 192.168.0.70 any eq www
access-list internet deny tcp host 192.168.0.90 any eq www
access-list internet deny tcp host 192.168.0.64 any eq www
access-list internet deny tcp host 192.168.0.94 any eq www
access-list internet deny tcp host 192.168.0.19 any eq www
access-list internet deny tcp host 192.168.0.170 any eq www
access-list internet deny tcp host 192.168.0.148 any eq www
access-list internet deny tcp host 192.168.0.183 any eq www
access-list internet deny tcp host 192.168.0.181 any eq www
access-list internet deny tcp host 192.168.0.182 any eq www
access-list internet deny tcp host 192.168.0.184 any eq www
access-list internet deny tcp host 192.168.0.185 any eq www
access-list internet deny tcp host 192.168.0.186 any eq www
access-list internet deny tcp host 192.168.0.187 any eq www
access-list internet deny tcp host 192.168.0.188 any eq www
access-list internet deny tcp host 192.168.0.189 any eq www
access-list internet deny tcp host 192.168.0.190 any eq www
access-list internet deny tcp host 192.168.0.191 any eq www
access-list internet deny tcp host 192.168.0.192 any eq www
access-list internet deny tcp host 192.168.0.193 any eq www
access-list internet deny tcp host 192.168.0.194 any eq www
access-list internet deny tcp host 192.168.0.195 any eq www
access-list internet deny tcp host 192.168.0.196 any eq www
access-list internet deny tcp host 192.168.0.197 any eq www
access-list internet deny tcp host 192.168.0.198 any eq www
access-list internet deny tcp host 192.168.0.199 any eq www
access-list internet deny tcp host 192.168.0.29 any eq www
access-list internet deny tcp host 192.168.0.30 any eq www
access-list internet deny tcp host 192.168.0.35 any eq www
access-list internet deny tcp host 192.168.0.36 any eq www
access-list internet permit ip any any
access-list 111 permit ip 192.168.0.0 255.255.255.0 host 172.16.0.11
access-list 111 permit ip 192.168.0.0 255.255.255.0 host 172.16.0.12
access-list 111 permit ip 192.168.0.0 255.255.255.0 host 172.16.0.13
access-list 111 permit ip 192.168.0.0 255.255.255.0 host 172.16.0.14
access-list 111 permit ip 192.168.0.0 255.255.255.0 host 172.16.0.15
access-list 111 permit ip 192.168.0.0 255.255.255.0 host 172.16.0.16
access-list 111 permit ip 192.168.0.0 255.255.255.0 host 172.16.0.17
access-list 111 permit ip 192.168.0.0 255.255.255.0 host 172.16.0.18
access-list 111 permit ip 192.168.0.0 255.255.255.0 host 172.16.0.19
access-list 111 permit ip 192.168.0.0 255.255.255.0 host 172.16.0.20
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside (Public IP) 255.255.255.248
ip address inside 192.168.0.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 111 192.168.0.248
global (outside) 1 (PublicIP)
nat (inside) 0 access-list 111
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.0.230 192.168.0.230 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.0.231 192.168.0.231 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.0.236 192.168.0.236 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.0.235 192.168.0.235 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.0.243 192.168.0.243 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.0.121 192.168.0.121 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.0.240 192.168.0.240 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.0.200 192.168.0.200 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.0.245 192.168.0.245 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.0.4 192.168.0.4 netmask 255.255.255.255 0 0
static (inside,outside) 202.163.121.60 192.168.0.4 netmask 255.255.255.255 0 0
static (inside,outside) 202.163.121.61 192.168.0.232 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.0.242 192.168.0.242 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.0.241 192.168.0.241 netmask 255.255.255.255 0 0
access-group yyyyy in interface outside
access-group internet in interface inside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 Router Interface Public IP 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside xxxx tftp-root
floodguard enable
telnet (Public IP) 255.255.255.248 outside
telnet 192.168.0.0 255.255.255.0 inside
telnet (Router Interface IP) 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
pixfirewall#
pixfirewall#
pixfirewall#
pixfirewall#
pixfirewall#

My question is…….
i want to allow internet on this IP 192.168.0.231
How can i do so????
i have done this
no access-list yyyyy permit ip any host 192.168.0.231
and
no static (inside,outside) 192.168.0.231 192.168.0.231 netmask 255.255.255.255 0 0
but in vain
Please help me

Deploying VOIP and QOS

Karl Gechlik — Tue, 19 Oct 2010 15:25:24 +0000

We
want to deploy VOIP to our network. We first need to implement QOS how can
we do that? We have all HP switches and Cisco routers. The firewall is
also a Cisco (PIX).

Which tool is used to configure 50 pix firewall?

Cybersoni — Thu, 19 Aug 2010 05:02:32 +0000

i have 50 pix firewall and how will i configure these firewall.

Setting up PIX535 but no network connection at all

springman — Wed, 19 May 2010 19:18:52 +0000

I am setting up spare firewall on an old PIX 535. I reset the box to factory default, assign the inside interfact an IP address and use a cross-over cable to for a laptop to connet to PIX. The problem is I am not able to ping the firewall from the laptop vise versa. There is no any ACL on the PIX. What could go wrong?

The PIX is now on 6.3(3). I hate the old IOS. I am trying to update it to 8.0 but the first thing I need to have is a network access. The inferface is not shutdown and it has an IP address assigned. What could possibly cause the default setting without network access?

Combining Networks with Same IP Scheme, VLAN,

Ramii — Sun, 15 Nov 2009 16:12:07 +0000

Hi, We are combining an couple offices next week & i need some advice. The networks already have VLANs set up. we have a Cisco 3550 Layer 3 switch set up to route traffic. The servers are on this site also. The network IP’s are 10.1.1.x, 10.1.4.x & 10.1.5.x. Servers reside on all of those networks. The network they are moving to is on a 10.1.3.x network. We have a Cisco PIX 506e & 515 set up to do VPN between the 10.1.1.x & 10.1.3.x networks. I have ordered another smart switch to put on the 10.1.3.x network so i can create the same VLANs on that network. (10.1.4.x & 10.1.5.x.) Am i thinking right that i need to do this, or should i be going a different route to set up the networks & route traffice the way i need to? I really want to keep the IP Scheme that everyone is already on, but if this cannot be done, i can do something else. I did read one situation from http://itknowledgeexchange.techtarget.com/itanswers/site-to-site-problems/ but this setup is almost the same as mine without the VLANs. Any assistance is greatly appreciated.

Cisco ASA 5510 site-to-site with PIX v6.3

Madpawn — Fri, 31 Jul 2009 19:29:09 +0000

I’ve recently developed a need to connect 2 networks together. One network (PIX Network) is currently connected to another network (DOMAIN 1) already via IPSEC site-to-site VPN. The other (ASA) is connected to many other sites via IPSEC site-to-site VPN and is those sites main domain server (DNS, DHCP, File, ext…)

PIX site is not a member of a domain, but uses DOMAIN 1′s file server to do work.

I need to connect the PIX and ASA network together by IPSEC site-to-site VPN, normally this would be a no brainier and would go down without a hitch, but there is a small problem in all of this. ASA and DOMAIN 1 have the same ip schema and the main assets PIX needs to use reside at the same ip on both networks. this is where my problem comes in.

PIX needs to be able to access DOMAIN 1′s file server which resides at 192.168.0.1 and ASA’s file server which also resides at 192.168.0.1 on it’s network at the same time.

I was thinking I could some how setup a DMZ on ASA and only allow access to the DMZ to the PIX network. this would eliminate the ip conflicts of the file servers and PIX would be able to work on both at the same time.

The problem is I do not know how to go about this on the ASA network. it has an ASA5510, but no DMZ is currently setup on it and I can not find in ASDM where to set it up at, nor do I know how to do it in CLI. Also is there a way for the DMZ interface to work through my external Vlan 1?

Once the ASA side is setup I’m unsure how to configure the PIX side of this.

Cisco ASA5510

Kwt712 — Tue, 21 Jul 2009 12:56:39 +0000

I need to find out if there is a command to shutdown Cisco ASA5510 firewall rather then walking up to the firewall and pulling the power plug … thanks

CiscoASA5505 DNS not getting to domain reverse lookup zones.

Shadowspapa — Fri, 10 Apr 2009 15:30:08 +0000

We are a state agency with a main office here, then about 45 smaller offices throughout the state.
The small 1 person offices connect back here via a web provider (ISP) and VPN client.
The rest connect back here using either a Cisco PIX 501 (4 of our older small offices) or a Cisco ASA5505 – and in either case, use LAN-to-LAN connections back to an Altega concentrator. The PIX and ASA devices BOTH serve as their offices DHCP provider/server. Those offices get their IP address and DNS server and WINS server settings from the DHCP services of the PIX or concentrator.
The issue:
Those here locally that get their DHCP from our DCs are in the appropriate reverse lookup zones.
Those that use the VPN client to connect back here get their DHCP address, etc. from the DCs here in this building as well. They are also all in the reverse lookup zones.
Those that use the PIX devices to get back here show up in the reverse lookup zones!
Now the kicker – those that use the ASA to get back here and get their addresses from the ASA DHCP are NOT registered in reverse lookup zones here!
If the computer has a STATIC IP address and manually assigned DNS and WINS settings, it WILL register back here.
So, anything that has either a STATIC assigned IP and DNS info registers, anything that gets DHCP assigned info from a server here registers, anything using the PIX for DHCP registers, but anything using an ASA AND getting a DHCP assignment from said ASA is NOT in the reverse lookup zones back here!
We are ALL so confused! Our senoir staff, even the folks at ITE (IT Enterprise) who are levels way above me “don’t get it”.
Ideas????
Microsoft said it’s a Cisco issue, either the device or our configuration (or lack there-of) and the test they have run make me believe them. But then why does the PIX send that info back here and the ASA not? There are NO SPECIAL settings in the PX at all. In fact, the ASAs are setup almost exactly like the PIXs – we basically converted the PIX settings for the ASA.
AARRG – (can I say that here?)

How to locally authenticate users using PPTP on a local PIX firewall

NetworkingATE — Thu, 12 Mar 2009 22:27:21 +0000

Question Edited by Serena3

How to block P2P applications in PIX 525 firewall

Yasir Irfan — Mon, 22 Dec 2008 07:36:02 +0000

I need to know how to block p2p applications using a pix firewall 525