https://community.cisco.com/t5/network-security/pix-multiple-inside-config/m-p/852525#M954985 <HTML><HEAD></HEAD><BODY><P>Typo maybe, capital "G" in guest.</P><P></P><P>access-group Guest_out in interface Guest </P><P></P></BODY></HTML> Thu, 14 Feb 2008 19:04:58 GMT acomiskey 2008-02-14T19:04:58Z https://community.cisco.com/t5/network-security/pix-multiple-inside-config/m-p/852524#M954983 <P>This should be straight forward, but for some reason I'm missing something. I have a PIX with 6 interface</P><P></P><P>E0 Outside</P><P>E1 Inside</P><P>E2 DMZ</P><P>E3 Guest</P><P></P><P>The Guest interface is the guest VLAN for the company and I want to allow access to the Internet while blocking all of our internal stuff. Sample config is here:</P><P></P><P>int e0</P><P>nameif outside</P><P>ip add 1.1.1.1 255.255.255.0</P><P>security-level 0</P><P></P><P>int e1</P><P>nameif inside</P><P>ip add 10.10.10.1 255.255.255.0</P><P>security-level 100</P><P></P><P>int e2</P><P>nameif dmz</P><P>ip add 172.16.1.1 255.255.255.0</P><P>security level 50</P><P></P><P>int e3</P><P>nameif Guest</P><P>ip add 192.168.1.1 255.255.255.0</P><P>security level 90</P><P></P><P>nat (inside) 1 0 0</P><P>nat (Guest) 2 0 0</P><P>global (outside) 1 1.1.1.2</P><P>global (outside) 2 1.1.1.3</P><P></P><P>access-list Guest_out permit ip any any</P><P>access-gr Guest_out in interface guest</P><P></P><P>Based on the config above, that should be enough to have the Guest vlan traffic PAT to 1.1.1.3 and have no issue going out?</P><P></P><P>Am I missing something?</P> Mon, 11 Mar 2019 12:03:09 GMT https://community.cisco.com/t5/network-security/pix-multiple-inside-config/m-p/852524#M954983 r.lusignan 2019-03-11T12:03:09Z https://community.cisco.com/t5/network-security/pix-multiple-inside-config/m-p/852525#M954985 <HTML><HEAD></HEAD><BODY><P>Typo maybe, capital "G" in guest.</P><P></P><P>access-group Guest_out in interface Guest </P><P></P></BODY></HTML> Thu, 14 Feb 2008 19:04:58 GMT https://community.cisco.com/t5/network-security/pix-multiple-inside-config/m-p/852525#M954985 acomiskey 2008-02-14T19:04:58Z https://community.cisco.com/t5/network-security/pix-multiple-inside-config/m-p/852526#M954988 <HTML><HEAD></HEAD><BODY><P>Typo maybe, capital "G" in guest. Although that would not have prevented you from getting outside.</P><P></P><P>access-group Guest_out in interface Guest </P><P></P></BODY></HTML> Thu, 14 Feb 2008 19:08:55 GMT https://community.cisco.com/t5/network-security/pix-multiple-inside-config/m-p/852526#M954988 acomiskey 2008-02-14T19:08:55Z https://community.cisco.com/t5/network-security/pix-multiple-inside-config/m-p/852527#M954990 <HTML><HEAD></HEAD><BODY><P>There isn't any issue with Typo...the config is absolutely good and would allow all IP traffic from Guest to go outside patting to 1.1.1.3</P><P></P><P>are you facing any issue ?</P></BODY></HTML> Thu, 14 Feb 2008 19:14:42 GMT https://community.cisco.com/t5/network-security/pix-multiple-inside-config/m-p/852527#M954990 abinjola 2008-02-14T19:14:42Z https://community.cisco.com/t5/network-security/pix-multiple-inside-config/m-p/852528#M954994 <HTML><HEAD></HEAD><BODY><P>Actually there is a typo. And as I said, it would not have effected his ability to go outside.</P></BODY></HTML> Thu, 14 Feb 2008 19:20:41 GMT https://community.cisco.com/t5/network-security/pix-multiple-inside-config/m-p/852528#M954994 acomiskey 2008-02-14T19:20:41Z https://community.cisco.com/t5/network-security/pix-multiple-inside-config/m-p/852529#M954996 <HTML><HEAD></HEAD><BODY><P>Yes I am, return traffic is not being permitted back in. I can see the xlate going through ie:</P><P></P><P>Built ICMP connection for faddr x.x.x.x/0 gaddr 1.1.1.3 laddr 192.168.1.x</P><P></P><P>That outside IP i'm pinging is a router which is running debug ip icmp. I can see the source address of the ping as the global PAT'd address on the Firewall. So the config looks good, return traffic is not getting back through. The ACL on the outside interface shouldn't be blocking the traffic as it was sourced from inside..</P></BODY></HTML> Thu, 14 Feb 2008 19:21:33 GMT https://community.cisco.com/t5/network-security/pix-multiple-inside-config/m-p/852529#M954996 r.lusignan 2008-02-14T19:21:33Z https://community.cisco.com/t5/network-security/pix-multiple-inside-config/m-p/852530#M954998 <HTML><HEAD></HEAD><BODY><P>That is not the case with icmp. You must allow it in your outside acl on the firewall.</P><P></P><P>This also serves as proof there was a typo, as he would have had to allow icmp as well in his Guest acl.</P></BODY></HTML> Thu, 14 Feb 2008 19:28:24 GMT https://community.cisco.com/t5/network-security/pix-multiple-inside-config/m-p/852530#M954998 acomiskey 2008-02-14T19:28:24Z https://community.cisco.com/t5/network-security/pix-multiple-inside-config/m-p/852531#M954999 <HTML><HEAD></HEAD><BODY><P>add a line permit icmp any any echo-reply on the outside access-list, if not then create one access-g on outside permitting icmp echo-reply</P><P></P><P>you are correct firewall doesn't block traffic initiated from inside, however this is ICMP, firewall treats it stateless protocol and consider the return echo reply as different connection</P><P></P><P>They fixed this issue in code 7.0 and above with "Inspect Icmp" feature</P></BODY></HTML> Thu, 14 Feb 2008 19:29:52 GMT https://community.cisco.com/t5/network-security/pix-multiple-inside-config/m-p/852531#M954999 abinjola 2008-02-14T19:29:52Z