• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

PIX problem: natted computers cannot get out

D

damiano

Platinum Member
as the tittle says,
I have configured my pix, and all my workstations that have an intrenal ip can go out to the internet, but all the machines that have a nat on the pix cannot go out the the internet..
any ideas???
thanks a bunch in advance
cheers
Damiano
 
post your config and IP addresses. I'm confused when you say "natted machines can't get out", aren't all your addresses natted in some way?
 
no,
all the machines are not natted...
some of them use an internal IP. (these go out with no problems)
Just some of them need to have a nat (only the ones that need a fixed external IP address)
 
here is the config file


show config
: Saved
: Written by enable_15 at 16:27:33.908 UTC Mon Apr 28 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 577ue2UsN1E8CMPR encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pugcopixbk
domain-name blah.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol skinny 2000
no fixup protocol h323 ras 1718-1719
no fixup protocol ils 389
no fixup protocol rtsp 554
no fixup protocol sip 5060
names
name 192.168.11.254 server02
name 192.168.11.109 ffms
name 192.168.11.148 sambdc
<--- More --->

name 192.168.11.140 srvth01
name 192.168.11.252 mail
name 192.168.11.95 ns1
name 192.168.11.246 brass_ftp
name 192.168.11.110 fftc
name 192.168.11.80 kzpsrv1
name 192.168.11.102 pcmsvr2
pager lines 24
logging on
interface ethernet0 100full
interface ethernet1 100full
mtu outside 1500
mtu inside 1500
ip address outside 56.56.56.223 255.255.255.224
ip address inside 192.168.11.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location ns1 255.255.255.255 inside
pdm location 192.168.11.99 255.255.255.255 inside
<--- More --->

pdm location 192.168.11.98 255.255.255.255 inside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.11.0 255.255.255.0 0 0
static (inside,outside) 56.56.56.41 ns1 netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.40 mail netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.34 server02 netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.38 srvth01 netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.36 sambdc netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.35 ffms netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.44 brass_ftp netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.226 fftc netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.227 kzpsrv1 netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.231 pcmsvr2 netmask 255.255.255.255 0 0
conduit permit tcp host ns1 eq www any
conduit permit tcp host ns1 eq smtp any
conduit permit tcp host ns1 eq pcanywhere-data any
conduit permit udp host ns1 eq pcanywhere-status any
conduit permit tcp host sambdc eq smtp any
conduit permit tcp host pcmsvr2 eq www any
conduit permit tcp host pcmsvr2 eq smtp any
conduit permit tcp host pcmsvr2 eq 1723 any
<--- More --->

conduit permit gre host pcmsvr2 any
conduit permit tcp host kzpsrv1 eq smtp any
conduit permit gre host kzpsrv1 any
conduit permit tcp host kzpsrv1 eq 1723 any
conduit permit gre host ffms any
conduit permit tcp host ffms eq www any
conduit permit tcp host ffms eq smtp any
conduit permit tcp host ffms eq 1723 any
conduit permit tcp host mail eq 1723 any
conduit permit gre host mail any
conduit permit tcp host fftc eq pcanywhere-data any
conduit permit udp host fftc eq pcanywhere-status any
conduit permit tcp host server02 eq www any
conduit permit tcp host server02 eq smtp any
conduit permit tcp host server02 eq pop3 any
conduit permit tcp host srvth01 eq smtp any
conduit permit tcp host srvth01 eq 1723 any
conduit permit gre host srvth01 any
route outside 0.0.0.0 0.0.0.0 56.56.56.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
<--- More --->

aaa-server LOCAL protocol local
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
ntp server 192.5.41.209 source outside prefer
http server enable
http 192.168.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt nodnsalias inbound
sysopt nodnsalias outbound
no sysopt route dnat
telnet 192.168.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:0873ccb615f15e365522f73fe10d011c

pugcopixbk(config)# show config      running
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 577ue2UsN1E8CMPR encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pugcopixbk
domain-name pugco.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol skinny 2000
no fixup protocol h323 ras 1718-1719
no fixup protocol ils 389
no fixup protocol rtsp 554
no fixup protocol sip 5060
names
name 192.168.11.254 server02
name 192.168.11.109 ffms
name 192.168.11.148 sambdc
<--- More --->

name 192.168.11.140 srvth01
name 192.168.11.252 mail
name 192.168.11.95 ns1
name 192.168.11.246 brass_ftp
name 192.168.11.110 fftc
name 192.168.11.80 kzpsrv1
name 192.168.11.102 pcmsvr2
pager lines 24
logging on
interface ethernet0 100full
interface ethernet1 100full
mtu outside 1500
mtu inside 1500
ip address outside 56.56.56.233 255.255.255.224
ip address inside 192.168.11.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location ns1 255.255.255.255 inside
pdm location 192.168.11.99 255.255.255.255 inside
<--- More --->

pdm location 192.168.11.98 255.255.255.255 inside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.11.0 255.255.255.0 0 0
static (inside,outside) 56.56.56.41 ns1 netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.40 mail netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.34 server02 netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.38 srvth01 netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.36 sambdc netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.35 ffms netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.44 brass_ftp netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.226 fftc netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.227 kzpsrv1 netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.231 pcmsvr2 netmask 255.255.255.255 0 0
conduit permit tcp host ns1 eq www any
conduit permit tcp host ns1 eq smtp any
conduit permit tcp host ns1 eq pcanywhere-data any
conduit permit udp host ns1 eq pcanywhere-status any
conduit permit tcp host sambdc eq smtp any
conduit permit tcp host pcmsvr2 eq www any
conduit permit tcp host pcmsvr2 eq smtp any
conduit permit tcp host pcmsvr2 eq 1723 any
<--- More --->

conduit permit gre host pcmsvr2 any
conduit permit tcp host kzpsrv1 eq smtp any
conduit permit gre host kzpsrv1 any
conduit permit tcp host kzpsrv1 eq 1723 any
conduit permit gre host ffms any
conduit permit tcp host ffms eq www any
conduit permit tcp host ffms eq smtp any
conduit permit tcp host ffms eq 1723 any
conduit permit tcp host mail eq 1723 any
conduit permit gre host mail any
conduit permit tcp host fftc eq pcanywhere-data any
conduit permit udp host fftc eq pcanywhere-status any
conduit permit tcp host server02 eq www any
conduit permit tcp host server02 eq smtp any
conduit permit tcp host server02 eq pop3 any
conduit permit tcp host srvth01 eq smtp any
conduit permit tcp host srvth01 eq 1723 any
conduit permit gre host srvth01 any
route outside 0.0.0.0 0.0.0.0 56.56.56.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
<--- More --->

aaa-server LOCAL protocol local
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
ntp server 192.5.41.209 source outside prefer
http server enable
http 192.168.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt nodnsalias inbound
sysopt nodnsalias outbound
no sysopt route dnat
telnet 192.168.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:0873ccb615f15e365522f73fe10d011c
: end

pugcopixbk(config)#
 
His global statement looks off and he probably needs to power down the PIX and power it back up.
Also check your router and make sure it is ok, might need to reboot it as well.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top