topic Re: Pix 515E Outbound Configuration in Network Security

Pix 515E Outbound Configuration

raju — Fri, 21 Feb 2020 07:07:32 GMT

Hello,

I'm trying to setup a PIX 515E in the lab for learning .I've configured ether0 with IP address 212.100.211.1/24 and ether1 with 192.168.10.1 /24 . Ether0 Interface of Pix is connected with a PC having IP address of 212.100.211.2 /24 using cross over cable and Ether1 Interface is connected with another PC , having IP address 192.168.10.2 /24 using Cross cable. I'm trying to initiate a outbound connection from 192.168.10.2 to the PC of 212.100.211.2 ,but it does not work. I've created NAT & Global , no use. From this PC , I can't able to ping "outside "Interface address of PIX .From PIX , I can able to ping both the PC's connected to outside & Inside Interfaces.

Thanks.

Raju

Re: Pix 515E Outbound Configuration

l.mourits — Sat, 29 Nov 2003 21:19:20 GMT

Hi Raju,

If you use ping for test, you have to setup an accesslist on the outside interface which permits the returning ICMP-packets.

Remember there is no need to setup an access-list for responsepackets on outbound tcp and udp sessions. Reason for this difference is that PIX´s ASA (the statefull inspection mechanism) does not handle ICMP, but does handle other traffic.

So, when you setup your PIX like you described, ICMP won´t work, but other traffic will. Try to telnet or http to the outside and you will see that it works.

Hope this helps,

Leo

Re: Pix 515E Outbound Configuration

rgrcommo — Sat, 29 Nov 2003 23:04:35 GMT

cut-in-paste below in your pix then it will work.

-----------------

access-list permit_out_in permit icmp host 212.100.211.2 host 212.100.211.50

access-group permit_out_in in interface outside

static (i,o) 212.100.211.1 192.168.10.1

static (i,o) 212.100.211.50 192.168.10.2

route out 0 0 212.100.211.1

glo (out) 1 212.100.211.40-212.100.211.60

glo (out) 1 212.100.211.35 interface outside

nat (in) 1 0 0

logging on

logging con 7

---------------------------------

Make sure you hosts PC have their gateways set correctly. PC1 should have a gateway of the outside interface of the pix. PC2 should have a gateway of the inside PIX.

From the PIX do this:

pix(config)# clear xlate

pix# ping out 212.100.211.2

you should be getting a reply. Then:

pix# ping in 192.168.10.2

you should be getting a reply.

Ping the inside interface of the pix from PC2.

you should be getting a reply.

Now goto PC1 on the outside interface and in dos ping 212.100.211.50

you should get a reply.

This is one way of doing it. You may need to use another way for your final config depending on how many global addrs you have.

If for some reason you can not ping use debug icmp trace to see where the packet is going.

pix(config)# debug icmp trace

Jeff

Re: Pix 515E Outbound Configuration

raju — Mon, 01 Dec 2003 05:17:55 GMT

Thanks Jeff . It works .

Regards.