https://community.cisco.com/t5/network-security/pix-515e/m-p/1236920#M875436 <HTML><HEAD></HEAD><BODY><P>Thanks for the advice.</P><P></P><P>I found a routing issue as well. Things were getting out and not able to come back.</P><P></P><P>It's up and working now.</P><P></P><P>Thanks again, Dave</P></BODY></HTML> Tue, 03 Mar 2009 23:09:36 GMT dklewe 2009-03-03T23:09:36Z https://community.cisco.com/t5/network-security/pix-515e/m-p/1236918#M875432 <P>I'm having some troubles setting up a new firewall. (I'm new to firewalls)I've got the unit up with configured IP addresses on inside and outside. Downloaded and installed ASDM software. I can't seem to get it to pass traffic. </P><P>The unit is being used to secure one network from the rest of our company network. </P><P>Inside interface is 10.50.241.1/24 </P><P>The PIX will be the gateway on this network. </P><P>Outside interface is 10.48.16.2/20 </P><P>Gateway on the outside network is a Cisco 6500 MSFC 10.48.16.10 which connects to the rest of the company. </P><P></P><P>Thanks, Dave </P><P></P><P>I have included a show run: </P><P></P><P>PIX Version 7.2(2) </P><P>!</P><P>hostname pixfirewall</P><P>domain-name default.domain.invalid</P><P>enable password 8Ry2YjIyt7RRXU24 encrypted</P><P>names</P><P>name 10.48.0.0 GAC</P><P>name 10.48.16.0 Plant</P><P>dns-guard</P><P>!</P><P>interface Ethernet0</P><P>nameif outside</P><P>security-level 0</P><P>ip address 10.48.16.2 255.255.240.0 </P><P>!</P><P>interface Ethernet1</P><P>nameif inside</P><P>security-level 100</P><P>ip address 10.50.241.1 255.255.255.0 </P><P>!</P><P>interface Ethernet2</P><P>shutdown</P><P>nameif intf2</P><P>security-level 4</P><P>no ip address</P><P>!</P><P>passwd 0aywtm/YUv1U3jNB encrypted</P><P>ftp mode passive</P><P>dns server-group DefaultDNS</P><P>domain-name default.domain.invalid</P><P>same-security-traffic permit intra-interface</P><P>object-group protocol TCPUDP</P><P>protocol-object udp</P><P>protocol-object tcp</P><P>access-list ping_acl extended permit icmp Plant 255.255.240.0 any </P><P>access-list outside_access_in extended permit icmp Plant 255.255.240.0 10.50.241.0 255.255.255.0 </P><P>access-list outside_access_in extended permit icmp GAC 255.255.240.0 10.50.241.0 255.255.255.0 </P><P>pager lines 24</P><P>logging asdm informational</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>mtu intf2 1500</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>icmp permit any outside</P><P>icmp permit any inside</P><P>asdm image flash:/asdm-524.bin</P><P>asdm history enable</P><P>arp timeout 14400</P><P>global (outside) 1 interface</P><P>nat (inside) 0 10.50.241.0 255.255.255.0</P><P>access-group ping_acl in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 10.48.16.10 1</P><P>!</P><P>router rip</P><P>network 10.0.0.0</P><P>version 2</P><P>!</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout uauth 0:05:00 absolute</P><P>aaa-server TACACS+ protocol tacacs+</P><P>aaa-server RADIUS protocol radius</P><P>http server enable</P><P>http 10.50.241.0 255.255.255.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server community public</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>no sysopt connection permit-vpn</P><P>telnet Plant 255.255.240.0 outside</P><P>telnet GAC 255.255.240.0 outside</P><P>telnet 10.50.241.0 255.255.255.0 inside</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>ssh version 1</P><P>console timeout 0</P><P>dhcpd dns 10.50.1.46 171.74.105.58</P><P>dhcpd wins 171.74.162.21 171.74.105.58</P><P>dhcpd ping_timeout 750</P><P>dhcpd auto_config outside</P><P>!</P><P>dhcpd address 10.50.241.101-10.50.241.199 inside</P><P>dhcpd enable inside</P><P>!</P><P>!</P><P>class-map inspection_default</P><P>match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns migrated_dns_map_1</P><P>parameters</P><P>message-length maximum 512</P><P>policy-map global_policy</P><P>class inspection_default</P><P>inspect dns migrated_dns_map_1 </P><P>inspect ftp </P><P>inspect h323 h225 </P><P>inspect h323 ras </P><P>inspect http </P><P>inspect netbios </P><P>inspect rsh </P><P>inspect rtsp </P><P>inspect skinny </P><P>inspect esmtp </P><P>inspect sqlnet </P><P>inspect sunrpc </P><P>inspect tftp </P><P>inspect sip </P><P>inspect xdmcp </P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>Cryptochecksum:d8ad1ad3a52aec150a71ccd959a2681a</P><P>: end</P><P>asdm image flash:/asdm-524.bin</P><P>asdm location GAC 255.255.240.0 inside</P><P>asdm history enable </P> Mon, 11 Mar 2019 15:00:04 GMT https://community.cisco.com/t5/network-security/pix-515e/m-p/1236918#M875432 dklewe 2019-03-11T15:00:04Z https://community.cisco.com/t5/network-security/pix-515e/m-p/1236919#M875433 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Try changing your PAT:</P><P></P><P>Enter these commands:</P><P></P><P>no global (outside) 1 interface </P><P>no nat (inside) 0 10.50.241.0 255.255.255.0 </P><P></P><P>nat (inside) 1 10.50.241.0 255.255.255.0</P><P>global (outside) 1 interface</P><P>clear xlate</P><P></P><P>About acls: access-list outside_access_in extended permit icmp Plant 255.255.240.0 10.50.241.0 255.255.255.0 </P><P>access-list outside_access_in extended permit icmp GAC 255.255.240.0 10.50.241.0 255.255.255.0 </P><P></P><P>You are trying to ping your hosts in the inside from Plant and GAC (located in the outside), you will not be able to do this since you are USING PAT, hence hiding your inside network, so whenever you try to ping any host in 10.50.241.0 you will not reach it from the outside.</P><P></P><P>Try entering</P><P>access-list outside_access_in extended permit icmp any any</P><P></P><P>so you can test pinging from any host in the inside to anything in the outside, but you won't be able to ping from the outside to the inside</P><P></P><P>And one last observation:</P><P>telnet Plant 255.255.240.0 outside </P><P>telnet GAC 255.255.240.0 outside </P><P></P><P>You will not be able to telnet to the outside interface unless you use IPSec, this is because telnet will send everything in clear text, and doing this in the outside interface will be insane!!</P><P></P></BODY></HTML> Tue, 03 Mar 2009 17:39:26 GMT https://community.cisco.com/t5/network-security/pix-515e/m-p/1236919#M875433 isagonza 2009-03-03T17:39:26Z https://community.cisco.com/t5/network-security/pix-515e/m-p/1236920#M875436 <HTML><HEAD></HEAD><BODY><P>Thanks for the advice.</P><P></P><P>I found a routing issue as well. Things were getting out and not able to come back.</P><P></P><P>It's up and working now.</P><P></P><P>Thanks again, Dave</P></BODY></HTML> Tue, 03 Mar 2009 23:09:36 GMT https://community.cisco.com/t5/network-security/pix-515e/m-p/1236920#M875436 dklewe 2009-03-03T23:09:36Z