topic Please help me with PIX 501 basic configuration... in Network Security

Please help me with PIX 501 basic configuration...

j.rock — Fri, 21 Feb 2020 07:40:48 GMT

Please, could you help me with basic config with access from inside network 192.168.1.0/24 to outside network 192.168.7.0/24. I have problem with icmp(ping) from inside to outside and other serveces as ftp and http on outside host 192.168.7.1. This is my config...(I'm beginer) 🐵

(192.168.1.2 is my comp)

Result of firewall command: "sh runn"

: Saved

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname firewall

domain-name firewall.cz

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list inside_access_in permit icmp any any

access-list outside_access_in permit icmp any any

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 192.168.7.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.2 255.255.255.255 inside

pdm history enable

arp timeout 14400

nat (inside) 0 192.168.1.0 255.255.255.0 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

rip outside default version 1

rip inside default version 1

route outside 0.0.0.0 0.0.0.0 192.168.7.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.2 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.1.2 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:xxxxx

: end

Re: Please help me with PIX 501 basic configuration...

a.awan — Wed, 13 Oct 2004 11:11:16 GMT

Your current configuration should allow ping to be successful. Have you made sure that 192.168.7.1 has a route back to 192.168.1.0/24 via 192.168.7.2?

The access-list you are binding to the inside interface will only allow icmp to be permitted outwards from hosts residing on the inside. If you want these hosts to be able to telnet, ftp, ssh, etc. outwards then you need to modify the access-list accordingly. Again make sure that the device you are connecting to knows how to get back to the subnet you are connecting from.

Re: Please help me with PIX 501 basic configuration...

j.rock — Wed, 13 Oct 2004 11:43:17 GMT

The host 192.168.7.1 is my test server(with ftp, http, tftp server).(I set only IP address a mask without gateway and dns settings) It's very simple config. (my pc > fw > server)

I don't ping also to outside fw interface from my pc....why? Thanks.

Re: Please help me with PIX 501 basic configuration...

a.awan — Wed, 13 Oct 2004 13:20:35 GMT

The host 192.168.7.1 needs to know how to get back to the 192.68.1.0/24 subnet. You can either add a static route on this host or you can configure this host with a default gateway which will be the outside interface of the PIX.

You cannot ping from a host on one interface of the PIX to the IP of another PIX interface. That is why you are unable to ping the outside interface of the PIX from your PC on the inside interface. I am sure you can ping from your PC to the PIX inside interface and from the server to the PIX outside interface. This is normal so do not be concerned about it.

After adding the default gateway on both the server and your internal PC you should be able to ping between them. Your internal PC should have the PIX inside interface as the default gateway while your outside server should have the PIX outside interface as the default gateway.