https://community.cisco.com/t5/network-security/pix-config-problem/m-p/672212#M1029857 <HTML><HEAD></HEAD><BODY><P>sorry, am trying to allow icmp and www through the firewall to start with. currently i can ping both interfaces from there sides of the pix but cannot ping through the pix.</P><P></P><P>thanks </P><P>Alex</P></BODY></HTML> Wed, 03 Jan 2007 20:12:51 GMT handley88 2007-01-03T20:12:51Z https://community.cisco.com/t5/network-security/pix-config-problem/m-p/672209#M1029854 <P>hi, am having trouble configuring a 506e firwall which is currently setup in a lab, i think there is a problem with the acl's or the static routing but not sure so here is the config.</P><P></P><P>thanks</P><P>Alex</P><P></P><P> </P><P></P> Mon, 11 Mar 2019 09:15:00 GMT https://community.cisco.com/t5/network-security/pix-config-problem/m-p/672209#M1029854 handley88 2019-03-11T09:15:00Z https://community.cisco.com/t5/network-security/pix-config-problem/m-p/672210#M1029855 <HTML><HEAD></HEAD><BODY><P>Could you please elaborate as to what you are trying to achieve and where are you facing the problem?</P><P></P><P>Narayan</P></BODY></HTML> Wed, 03 Jan 2007 15:18:10 GMT https://community.cisco.com/t5/network-security/pix-config-problem/m-p/672210#M1029855 royalblues 2007-01-03T15:18:10Z https://community.cisco.com/t5/network-security/pix-config-problem/m-p/672211#M1029856 <HTML><HEAD></HEAD><BODY><P>Try the modified configuration (attached) - I have included only www and smtp access. By defult the PIX will allow all connection outbound (Higher Security Interface to Lower Security Interface) but if you need any services such as smtp/www allowed into your internal network then you'll need ACL and static for this process.</P><P></P><P>Make sure that your MX record is pointing to the correct public IP address which is bound to the outside interface for smtp also for www access.</P><P></P><P>Also, note - if you only have the one public IP address and this is being used by the outside interface then you can substitute the ACLs and statics as such:</P><P></P><P>access-list outside_in permit tcp any host 194.74.152.163 eq smtp </P><P>access-list outside_in permit tcp any host 194.74.152.163 eq www</P><P>access-group outside_in in interface outside</P><P></P><P>static (inside,outside) tcp interface smtp <INTERNAL_MAIL_SERVER_IP> smtp netmask 255.255.255.255 0 0</INTERNAL_MAIL_SERVER_IP></P><P>static (inside,outside) tcp interface www <INTERNAL_WWW_SERVER_IP> www netmask 255.255.255.255 0 0</INTERNAL_WWW_SERVER_IP></P><P></P><P>After the modifications issue: write mem and also issue clear xlate.</P><P></P><P>To test for connectivity via the PIX configure the following on the outside interface:</P><P></P><P>access-list outside_in permit tcp any host 194.74.152.163 eq smtp </P><P>access-list outside_in permit tcp any host 194.74.152.163 eq www</P><P>access-list outside_in permit icmp any any echo-reply </P><P>access-list outside_in permit icmp any any unreachable </P><P>access-list outside_in permit icmp any any time-exceeded</P><P>access-group outside_in in interface outside</P><P></P><P>You should take out the icmp commands out when have finished testing.</P><P></P><P>Again, save with: write mem and also issue: clear xlate</P><P></P><P>Hope this helps and if you need any further help then let us know.</P><P></P><P>Please rate posts if it helps!!!</P><P></P><P></P><P> </P><P></P></BODY></HTML> Wed, 03 Jan 2007 15:56:13 GMT https://community.cisco.com/t5/network-security/pix-config-problem/m-p/672211#M1029856 jmia 2007-01-03T15:56:13Z https://community.cisco.com/t5/network-security/pix-config-problem/m-p/672212#M1029857 <HTML><HEAD></HEAD><BODY><P>sorry, am trying to allow icmp and www through the firewall to start with. currently i can ping both interfaces from there sides of the pix but cannot ping through the pix.</P><P></P><P>thanks </P><P>Alex</P></BODY></HTML> Wed, 03 Jan 2007 20:12:51 GMT https://community.cisco.com/t5/network-security/pix-config-problem/m-p/672212#M1029857 handley88 2007-01-03T20:12:51Z