|
Posted by William L. Sun on March 15, 2005, 8:41 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Have you tried to following command
clear xlate
clear arp
If you still have issues, you can try
reload
to reboot the PIX.
> We use windows 2000 server IAS as RADIUS in PIX setup to authenticate
> outbound HTTP access. After changing to the new public addresses in
> the following PIX configuration, we no longer get "HTTP authentication"
> windows to access the Internet. Attached below is the configuration
> information. Please advice if I missed something.
>
> Assuming these are the new public IP addresses:
> ip: 1.2.3.4 ~ 8
> gateway: 1.2.3.1
> dns: 106.10.24.10, 206.13.29.12
>
> I changed the following three lines to reflect the new ip addresses: ip
> address outside ...
> global (outside) ...
> route outside ...
>
> PIX configuration -
>
> PIX Version 6.3(3)
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> hostname pixfirewall
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol smtp 25
> names
> access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.11.0
> 255.255.255.0
> access-list 110 deny tcp host 192.168.10.199 any eq smtp
> access-list 110 permit ip host 192.168.10.199 any
> access-list 110 deny udp host 192.168.10.11 any eq domain
> access-list 110 permit ip host 192.168.10.11 any
> access-list 110 deny udp host 192.168.10.12 any eq domain
> access-list 110 permit ip host 192.168.10.12 any
> access-list 110 permit ip host 192.168.10.13 any
> access-list 110 permit ip host 192.168.10.27 any
> access-list 110 permit ip host 192.168.10.16 any
> access-list 110 permit ip host 192.168.10.17 any
> access-list 110 permit ip host 192.168.10.200 any
> access-list 110 permit ip host 192.168.10.201 any
> access-list 110 deny udp any host 106.10.24.10 eq domain
> access-list 110 deny udp any host 206.13.29.12 eq domain
> access-list 111 permit tcp any any eq www
> access-list 111 permit tcp any any eq https
> access-list 111 permit udp any host 106.10.24.10 eq domain
> access-list 111 permit udp any host 206.13.29.12 eq domain
> access-list 112 permit tcp any any eq www
> access-list 112 permit tcp any any eq https
> access-list 112 permit udp any any eq 554
> access-list 112 permit tcp any any eq 7070
> access-list 112 permit tcp any any eq 8080
> access-list 112 permit udp any any eq 1755
> access-list 112 permit tcp any any eq 1755
> access-list 112 permit tcp any any eq ssh
> access-list 112 permit udp any any eq pcanywhere-status
> access-list 112 permit tcp any any eq pcanywhere-data
> access-list 112 permit udp any any eq 1720
> access-list 112 permit tcp any any eq 554
> access-list 112 permit udp any host 106.10.24.10 eq domain
> access-list 112 permit udp any host 206.13.29.12 eq domain
> access-list 113 permit ip any any
> pager lines 24
> logging on
> logging timestamp
> logging monitor informational
> logging buffered informational
> mtu outside 1500
> mtu inside 1500
> ip address outside 1.2.3.4 255.255.255.248
> ip address inside 192.168.10.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool vpnpool 192.168.11.1-192.168.11.254
> no failover
> failover timeout 0:00:00
> failover poll 15
> no failover ip address outside
> no failover ip address inside
> arp timeout 14400
> global (outside) 1 1.2.3.5
> nat (inside) 0 access-list 101
> nat (inside) 1 192.168.10.11 255.255.255.255 0 0
> nat (inside) 1 192.168.10.12 255.255.255.255 0 0
> nat (inside) 1 192.168.10.13 255.255.255.255 0 0
> nat (inside) 1 192.168.10.14 255.255.255.255 0 0
> nat (inside) 1 192.168.10.17 255.255.255.255 0 0
> nat (inside) 1 192.168.10.27 255.255.255.255 0 0
> nat (inside) 1 192.168.10.199 255.255.255.255 0 0
> nat (inside) 1 192.168.10.200 255.255.255.255 0 0
> nat (inside) 1 192.168.10.201 255.255.255.255 0 0
> route outside 0.0.0.0 0.0.0.0 1.2.3.1 1
> timeout xlate 12:00:01
> timeout conn 12:00:00 half-closed 0:10:00 udp 0:05:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 12:00:00 absolute uauth 4:00:00 inactivity
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> aaa-server AuthOutbound protocol radius
> aaa-server AuthOutbound (inside) host 192.168.10.12 xyzAuth timeout 3
> aaa-server AuthOutbound (inside) host 192.168.10.11 xyzAuth timeout 3
> aaa authentication match 110 inside AuthOutbound
> http server enable
> http 192.168.10.200 255.255.255.255 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> virtual http 192.168.100.1
> floodguard enable
> sysopt connection permit-ipsec
> service resetinbound
> crypto ipsec transform-set myset esp-des esp-md5-hmac
> crypto dynamic-map dynmap 10 set transform-set myset
> crypto map mymap 10 ipsec-isakmp dynamic dynmap
> crypto map mymap interface outside
> console timeout 0
> terminal width 80
> : end
>
| 
XML site map