topic Re: 501 PIX trouble in Network Security

501 PIX trouble

dsingleterry — Fri, 21 Feb 2020 06:27:37 GMT

I have a 515e working fine at one location, but my 501 at a different location will not pass traffic through.

I have a DSL modem connected to the 501 on the outside interface, vpdn is authenticating to it over pppoe. I can ping the outside world from within the firewall over console or telnet, and I can ping the internal network 192.168.51.0 from within the firewall. From the network (51.0 ) I can ping the firewall's inside nic (192.168.51.1) but cannot ping or see any traffic through to the outside interface.

The following is my config:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ******** encrypted

passwd ********* encrypted

hostname Const

domain-name ***********.com

fixup protocols.....

access-list acl_outbound permit ip 192.168.51.0 255.255.255.0 any

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.51.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location............

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_outbound in interface inside

timeouts.....

...aaa and http server entries, snmp, etc

...

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname yearround2

vpdn group pppoex ppp authentication pap

vpdn username **** password *******

terminal ....

:end

What am I missing here? I have compared it to my 515e's settings and cant see where its not crossing.

Thank you very much for your time,

Dave

Re: 501 PIX trouble

bradd.hammond — Fri, 27 Dec 2002 17:54:57 GMT

create an inbound access list with the following commands:

access-list acl_inbound permit icmp any any echo-reply

access-list acl_inbound permit icmp any any unreachable

access-list acl_inbound permit icmp any any time-exceeded

access-group acl_inbound in interface outside

Re: 501 PIX trouble

dsingleterry — Fri, 27 Dec 2002 19:02:24 GMT

No, its not that. If you notice I do have two icmp permit lines in there. These from my understanding supercede the access-lists, and I have also tried ,just to make sure it wasnt the lack of an access-list inbound, to put a permit ip any any on the outside interface and that didnt help.

I fear its something to do with my nat or global, but for the life of me I dont see it. What I did for the 515e isnt working on this one.

Thanks for your help though and for any more anyone can offer.

Dave

Re: 501 PIX trouble

bradd.hammond — Fri, 27 Dec 2002 20:05:32 GMT

Your nat and global commands are correct. I have a PIX 501 at home w/ the same commands. The icmp command applies to traffic terminating on the PIX's interface, where the access-list and conduit command applies to traffic passing through the PIX.

http://www.cisco.com/warp/customer/110/31.html

http://www.cisco.com/warp/customer/110/pixtrace.html

Additionally, it might be necessary apply a permit icmp statement to your acl_outbound access list.

Re: 501 PIX trouble

dsingleterry — Fri, 27 Dec 2002 21:45:56 GMT

well, I can now ping out at least, I still dont have a DNS server at this location since we are supposed to be using the one on the other side of a VPN I am trying to erect between the two PIX's, but this part of my issues seems to be resolved. 🙂

thx