# pix firewall problem if it has dhcp server running



## packets (Apr 8, 2008)

I was task to configure a pix firewall though I have no experience to it. Although I successfully installed the pix, I have minor problem that probably one of the members might help me. There are dhcp server running in the private network. If the dhcp server's gateway is the pix, most pc who got their ip via dhcp has no Internet connection. But if they static their ips, it has Internet connection.

They're saying that the problem is in the pix. Here is the config:

PIX Version 7.1(2)
!
hostname pixfirewall
domain-name default.domain.invalid
enable password yUrbou1d1Dk5WwfZ encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 203.84.23.226 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.253 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outbound extended permit ip any any
access-list outbound extended permit tcp any host 192.168.1.67 eq www
access-list outbound extended permit tcp host 192.168.1.67 any eq www 
access-list 100 extended permit tcp any host 203.84.23.230 eq www 
access-list 100 extended permit tcp any host 203.84.23.231 eq www 
access-list 100 extended permit tcp any any eq www 
access-list 100 extended permit tcp host 203.84.23.231 any eq www 
access-list 100 extended permit tcp any host 203.84.23.227 eq lotusnotes 
access-list 100 extended permit tcp 203.84.20.0 255.255.255.0 host 202.84.23.226 
eq telnet 
access-list 100 extended permit tcp any host 203.84.23.231 eq ftp 
access-list 100 extended permit tcp any host 203.84.23.229 eq www
access-list 100 extended permit tcp any host 203.84.23.230 eq 3013
access-list 100 extended permit tcp any host 203.84.23.231 eq 3013
access-list 100 extended permit tcp any host 203.84.23.232 eq 3013
access-list 100 extended permit tcp any host 203.84.23.233 eq 3013
access-list 100 extended permit tcp any host 203.84.23.230 eq 5800
access-list 100 extended permit tcp any host 203.84.23.230 eq 5900
access-list 100 extended permit tcp any host 203.84.23.232 eq 5800
access-list 100 extended permit tcp any host 203.84.23.232 eq 5900
access-list 100 extended permit tcp any host 203.84.23.229 eq ftp
access-list 100 extended permit tcp any host 203.84.23.235 eq www
access-list 100 extended permit tcp any host 203.84.23.227 eq www
access-list 100 extended deny icmp any host 203.84.23.226
access-list inbound extended permit tcp any host 203.84.23.231 eq www
access-list inbound extended permit tcp any host 203.84.23.230 eq www
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 1 203.84.23.227-203.84.23.237 
nat (inside) 1 0.0.0.0 0.0.0.0 
static (inside,outside) 203.84.23.231 192.168.1.67 netmask 255.255.255.255 
static (inside,outside) 203.84.23.228 192.168.1.12 netmask 255.255.255.255 
static (inside,outside) 203.84.23.229 192.168.1.13 netmask 255.255.255.255 
static (inside,outside) 203.84.23.232 192.168.1.58 netmask 255.255.255.255 
static (inside,outside) 203.84.23.233 192.168.1.74 netmask 255.255.255.255 
static (inside,outside) 203.84.23.230 192.168.1.22 netmask 255.255.255.255 
static (inside,outside) 203.84.23.235 192.168.1.78 netmask 255.255.255.255
static (inside,outside) 203.84.23.227 192.168.1.1 netmask 255.255.255.255
access-group 100 in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 203.84.23.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username eastern password 4FsAsQ9qHIX/yaV/ encrypted
username worldvision password FZIm6HFr1iuxwOIv encrypted
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.10 255.255.255.255 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
class-map inspection_default 
match default-inspection-traffic 
! 
! 
policy-map global_policy 
class inspection_default 
inspect dns maximum-length 512 
inspect ftp 
inspect h323 h225 
inspect h323 ras 
inspect rsh 
inspect rtsp 
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:84b5f7ba0b9c691e57f1d62f5547fdaa
: end


----------



## packets (Apr 8, 2008)

any advise?

I have tried nat (inside) 1 192.168.1.0 255.255.255.0 but still has a problem? Could it be the DHCP server and not the pix firewall? I cannot connect remotely to the pix since it was located in other floor


----------

