topic Re: PIX 501 interconnectivity in Network Security https://community.cisco.com/t5/network-security/pix-501-interconnectivity/m-p/782342#M495541 <HTML><HEAD></HEAD><BODY><P>"there is no response to a machine on the inside network from outside."</P><P></P><P>Well I dont see it on the config but if you have not changed it the outisde interface by default is has security of 0 and inside has 100 </P><P></P><P>That means thanks to the ASA (adaptive Security Algorithm) any interface with a high security level can communicate with a low security level but not the other way around. </P><P></P><P>Right now there will be no response because you are doing only nat. </P><P></P><P>To get a inside machine to respond requests from outside you need to create a static translation.</P><P></P><P>ex:</P><P>static (inside,outside) tcp 10.0.0.1 ftp-data 192.168.2.1 ftp-data netmask 255.255.255.255</P><P></P><P> </P><P>This static command will allow any ftp-data request made on outside interface 10.0.0.1 to be forward to interface inside ip 192.168.2.1 port 20</P><P></P><P>Also keep in mind to add an access-list for that to happen because the outside interface does not accept any thing from out side. </P><P></P><P>In the case you want to open the outside to receive request for the static above you do </P><P>ex:</P><P></P><P>access-list OUTSIDE_TO_INSIDE extended permit tcp any interface outside eq ftp-data</P><P></P></BODY></HTML> Sun, 10 Jun 2007 14:51:26 GMT Rodrigo Gurriti 2007-06-10T14:51:26Z PIX 501 interconnectivity https://community.cisco.com/t5/network-security/pix-501-interconnectivity/m-p/782341#M495538 <P>My problem is that the Inside and outside network defined are working fine but independently, Although from the PIX console there is response from either side but there is no response to a machine on the inside network from outside. Please someone help in this regard. an erly response is anticipated.</P><P></P><P>the existing config goes like this:-</P><P>: Saved </P><P>: </P><P>fixup protocol dns maximum-length 512 </P><P>fixup protocol ftp 21 </P><P>fixup protocol h323 h225 1720 </P><P>fixup protocol h323 ras </P><P>fixup protocol http 80 </P><P>fixup protocol rsh 514 </P><P>fixup protocol rtsp 554</P><P>fixup protocol sip 5060</P><P>fixup protocol sip udp 5060</P><P>fixup protocol skinny 2000</P><P>fixup protocol smtp 25</P><P>fixup protocol sqlnet 1521</P><P>fixup protocol tftp 69</P><P>names</P><P>object-group network inside</P><P> network-object 192.168.2.0 255.255.255.0</P><P>object-group network in</P><P> network-object 192.168.2.1 255.255.255.255</P><P>object-group network out</P><P> network-object 192.168.1.0 255.255.255.0</P><P>access-list inside_access_in permit tcp interface inside interface outside</P><P>access-list acl_outbound permit ip any any</P><P>access-list acl_outbound permit tcp any any</P><P>access-list outside permit icmp any any</P><P>access-list outside permit ip any any</P><P>access-list inside permit icmp any any</P><P>access-list inside permit ip any any</P><P>access-list outbound permit tcp any host 192.168.2.1</P><P>access-list outbound permit icmp any host 192.168.2.1</P><P>access-list inbound permit tcp any host 192.168.2.1 eq www </P><P>pager lines 40 </P><P>mtu outside 1500 </P><P>mtu inside 1500 </P><P>ip address outside 192.168.1.2 255.255.255.0 ip address inside 192.168.2.1 255.255.255.0 ip audit info action alarm </P><P>ip audit attack action alarm </P><P>pdm location 192.168.2.0 255.255.255.0 inside </P><P>pdm group inside inside </P><P>pdm group in inside </P><P>pdm group out outside </P><P>pdm history enable </P><P>arp timeout 14400 </P><P>global (outside) 10 interface </P><P>global (inside) 50 192.x.2.10-192.168.2.45 netmask 255.255.255.0</P><P>nat (inside) 50 192.x.2.0 255.255.255.0 0 0</P><P>nat (inside) 10 0.0.0.0 0.0.0.0 0 0</P><P>static (inside,outside) 192.168.2.1 192.168.2.1 netmask 255.255.255.255 0 0</P><P>access-group outside in interface outside</P><P>access-group inside_access_in in interface inside</P><P>route outside 0.0.0.0 0.0.0.0 192.168.1.1 1</P><P>route inside 192.168.2.1 255.255.255.255 192.168.2.1 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00</P><P>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00</P><P>timeout sip-disconnect 0:02:00 sip-invite 0:03:00</P><P>timeout uauth 0:05:00 absolute</P><P>aaa-server TACACS+ protocol tacacs+</P><P>aaa-server TACACS+ max-failed-attempts 3</P><P>aaa-server TACACS+ deadtime 10</P><P>aaa-server RADIUS protocol radius</P><P>aaa-server RADIUS max-failed-attempts 3</P><P>aaa-server RADIUS deadtime 10</P><P>aaa-server LOCAL protocol local</P><P>http server enable</P><P>http 192.168.2.0 255.255.255.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server community public</P><P>no snmp-server enable traps</P><P>floodguard enable</P><P>sysopt noproxyarp outside</P><P>telnet 192.168.2.0 255.255.255.0 inside</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>console timeout 0</P><P>dhcpd address 192.168.2.10-192.168.2.40 inside</P><P>dhcpd lease 3600</P><P>dhcpd ping_timeout 750</P><P>dhcpd auto_config outside</P><P>dhcpd enable inside</P><P>terminal width 80</P><P>Cryptochecksum:xxxx</P><P>: end</P><P></P><P></P><P>2.x is the internal network and 1.x is hte outside network</P><P></P><P></P><P></P><P></P> Fri, 21 Feb 2020 09:33:51 GMT https://community.cisco.com/t5/network-security/pix-501-interconnectivity/m-p/782341#M495538 pravinthali 2020-02-21T09:33:51Z Re: PIX 501 interconnectivity https://community.cisco.com/t5/network-security/pix-501-interconnectivity/m-p/782342#M495541 <HTML><HEAD></HEAD><BODY><P>"there is no response to a machine on the inside network from outside."</P><P></P><P>Well I dont see it on the config but if you have not changed it the outisde interface by default is has security of 0 and inside has 100 </P><P></P><P>That means thanks to the ASA (adaptive Security Algorithm) any interface with a high security level can communicate with a low security level but not the other way around. </P><P></P><P>Right now there will be no response because you are doing only nat. </P><P></P><P>To get a inside machine to respond requests from outside you need to create a static translation.</P><P></P><P>ex:</P><P>static (inside,outside) tcp 10.0.0.1 ftp-data 192.168.2.1 ftp-data netmask 255.255.255.255</P><P></P><P> </P><P>This static command will allow any ftp-data request made on outside interface 10.0.0.1 to be forward to interface inside ip 192.168.2.1 port 20</P><P></P><P>Also keep in mind to add an access-list for that to happen because the outside interface does not accept any thing from out side. </P><P></P><P>In the case you want to open the outside to receive request for the static above you do </P><P>ex:</P><P></P><P>access-list OUTSIDE_TO_INSIDE extended permit tcp any interface outside eq ftp-data</P><P></P></BODY></HTML> Sun, 10 Jun 2007 14:51:26 GMT https://community.cisco.com/t5/network-security/pix-501-interconnectivity/m-p/782342#M495541 Rodrigo Gurriti 2007-06-10T14:51:26Z