Pix Question

jstrain · 03-14-2003, 08:57 AM

I am trying to fix a problem on a functional Pix firewall. Only certain local IP addresses are able to access the internet. There are now more machines that need internet access than there are addresses that allow this.

I didn't setup the Pix originally, but need to find a way to give other addresses internet access. I tried calling Cisco, but they are charging like $500 for a contract before I can get support.

Anyone have any ideas about how to open up additional addresses, or somewhere that explains this?

Jeremy

Rob Withey · 03-14-2003, 09:18 AM

I'm assuming that the firewall does NAT for outgoing traffic.

Does it have 1-1 NAT mapping set up for those addresses, or is NAT enabled for all internal addresses?

Are there firewall policies set up to block outgoing http traffic for many of the internal addresses?

Is there a limitation to the number of NAT leases possible at any time - ie, are the particular internal IPs that have external access dependant on who gets there first or are they always the same (fixed) IPs?

Rob

phil.45 · 03-14-2003, 09:26 AM

What IP addresses are you using on the local machines?

The problem you have sounds more like you are using fixed internet addresses rather than NAT. Are you using a DHCP server to allocate addresses to your clients?

jstrain · 03-14-2003, 10:48 AM

All of the machines have static internal (192.168.1.X) addresses. I did not setup the PIX, so I'm not sure of the internal configuration. Picking certain static internal addresses will allow local network access, but not internet access.

There is a command (I think it was show localhost) that listed 8 internal addresses along with some statistical info. Using any of those 8 addresses allows both local network access, as well as internet access.

I could be barking up the wrong tree here, but from the output of the localhost command, coupled with problems accessing the internet from other internal addresses, that was my conclusion.

Does this shed any light on the situation? Thanks for the help so far.

Jeremy

phil.45 · 03-14-2003, 11:07 AM

The machines that can access the internet, are they a continuous address range, or are they random:

example

192.168.1.1 - 192.168.1.8 all can access, anything above cant, or;
192.168.1.1 can, 192.168.1.2 cant, 192.168.1.3 can etc etc.

jstrain · 03-14-2003, 11:26 AM

They are random. If memory serves, it is something like .17, .20-.25, .27, .101

MP3DUB · 03-14-2003, 11:16 PM

I've never played around on a pix, or really any cisco stuff ($$$$)

but it sounds like it simply has some access filtering rule in place thats bound via ip. Id image theres a way to open it up to your entire subnet.

jstrain · 03-15-2003, 06:33 AM

That is exactly what I want to do, but unfortunately I have no idea how to do that. There are a host of commands you have to use, and I don't know anything but the most basic ones. Cisco tells me that I can't get support unless I purchase a support contract for $500, so I am hoping I can get some answers. I did find another board (experts-excahnge.com) that has given me some helpful hints.

Jeremy

WebAssistUK · 03-15-2003, 12:41 PM

We use pix at work and for the ISP we own. Have done a bit of pix work mainly via the web browser setup. Have you tried accessing the web browser setup??

I'll help anyway I can.

phil.45 · 03-15-2003, 03:19 PM

On ours the web filtering running on the Pix is a third party module, which is configured using a Windows client PC sitting in the DMZ. Maybe you have something similar?

User Name		Remember Me?
Password