PIX 501 Connectivity between inside and outside

hi all

i am new to PIX firewalls, was using a Netmax SG10 firewall that crashed. Purchased the 501 and followed the directions to the letter. and i've scoured forum after forum for an answer. I currently have this set up in a small test config before i replace the current equipment (a band-aid fix of a cable/dsl router just to provide access).

here's my physical setup:

Fractional T from ISP ->
Cisco 2501 router ->
Cisco Catalyst 2900 XL switch (acting more as hub) ->
outside interface of PIX 501 (a full class C scope) ->
one laptop for config.

I can access the outside interface from the working network and do config through any means available (ssh, telnet, pdm).

I can also access the same protocols on the internal interface on the laptop (using RFC address in 172 scope with mask of 255.255.0.0).

from laptop i can ping the internal interface and from my pc on the external network i can ping the external interface

i've set up routing and some translations in different variations and i CANNOT get traffic to pass from the internal interface to the external interface.


here is the current config:

Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Ll55APSabc8mXXFi encrypted
passwd Ll55APSabc8mXXFi encrypted
hostname HOST
domain-name DOMAIN.US
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name x.x.181.10 www3
access-list inside_access_in permit tcp 172.16.0.0 255.255.0.0 interface outside log
pager lines 24
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside x.x.181.250 255.255.255.0
ip address inside 172.16.0.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 172.16.0.2 255.255.255.255 inside
pdm location www3 255.255.255.255 outside
pdm location 172.16.0.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.0.0 255.255.255.0 0 0
nat (inside) 1 172.16.0.0 255.255.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inside_access_in in interface inside
rip outside default version 1
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 x.x.181.2 1
route inside 172.16.0.1 255.255.255.255 x.x.181.250 1
route inside 172.16.0.2 255.255.255.255 172.16.0.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http x.x.181.0 255.255.255.0 outside
http 172.16.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection tcpmss 0
telnet x.x.181.0 255.255.255.0 outside
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 60
ssh x.x.181.0 255.255.255.0 outside
ssh 172.16.0.0 255.255.0.0 inside
ssh timeout 60
console timeout 0
dhcpd address 172.16.0.2-172.16.0.255 inside
dhcpd dns x.x.181.7 x.x.128.11
dhcpd wins x.x.181.3 x.x.181.3
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain DOMAIN.US
dhcpd auto_config outside
dhcpd enable inside
username *ME* password 5cY9xxjCzaOvdc2/ encrypted privilege 15
terminal width 80
Cryptochecksum:5756452cda0ab0e8dafdf26f15485a3d
: end
[OK]


i'm not sure where the poblem is. been knocking my head over this for a couple weeks.

Any assistance from the forum would be gratefully appreciated

Thanks

**names and locations have been changed to protect the innocent**

Hello myrond1...

Let's start with the basics... first, yank that ACL off of the inside interface. I'm not sure what you are trying to accomplish with that access-list, but it really is adding no value whatsoever at this point.

no access-group inside_access_in in interface inside

Now, unless you have a specific need for it you should disable RIP routing on the PIX (not really the issue though, just good housekeeping).

Next... these NAT statements are redundant... remove the ones with the 'no' in front of them... or just keep one of the three...

no nat (inside) 1 172.16.0.0 255.255.255.0 0 0
no nat (inside) 1 172.16.0.0 255.255.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Next, your static routes are a bit confusing, especially this one:
route inside 172.16.0.1 255.255.255.255 x.x.181.250 1

This as got to be hosing something - a host route defined statically towards the inside interface that happens to be the IP of the inside interface, with the next-hop IP address on the outside interface? What was the goal of this statement?
Remove it.

This statement adds no value:
route inside 172.16.0.2 255.255.255.255 172.16.0.1 1
Remove it.

I've never seen anyone have this in their config:
sysopt connection tcpmss 0
This is used set the maximum TCP segment size, and is typically (but very rarely) used when passing traffic through a VPN tunnel, which you are not based on your config. The default value of this command is supposed to be 1388, yet you have your's set at zero. I don't know what that setting would do on the PIX, so I highly recommend you remove the whole command.
no sysopt connection tcpmss 0

Try these things and see if you can get traffic to flow - I have a feeling you will. Once you get traffic moving, then we can talk about that access-list on the inside interface again, and what it is you are interested in filtering.

Good Luck!

tGc

tGc,

There's some great information in your post. I've just begun reading one of Cisco Press's latest books on configuring Pix firewalls and I recall some of your suggestions from the book.

Very informative post!

Cheers,

Thanks for the help---as a last ditch effort this morning i came in and "hosed" all the changes i had made from default--excluding the ip info of course. then i had a thought---since the "band-aid" router isn't doing anything but giving access i change it's ip address to something else and gave the pix the correct one for where it's going to be---x.x.x.8 since the host name IS registered with DNS

lo and behold---i have access to the outside world.

now the fun begins---NAT and the access rules

been struggling with the NAT all day--but that's a whole other story

thanks again

myrond1 & Chris...

Anytime - glad to help out.

myrond1 - whenever you're ready to work out the NAT and ACL issues - post some questions and I'll try to help you out.

Good Luck!

tGc