mostiguy It wouldn't accept that command. I had one that stated [ icmp permit any unreachable outside ],

this was given to me by someone on a prior board. Any other suggestions I might try. Thanks again for the reply.

Hi,

Try - icmp permit any outside

Jay

Jay, Thank you very much for the reply. I entered your instruction, and it did allow outside pings. I use www.grc.com to check it out, and it said I failed the test, as icmp pings were allowed in. I then tried to enter my domain name, and it waited a few seconds and then said page could not be displayed. Webweaver server is in and running, I use GFI Network Security program, and it stated server as running. I checked all DNS links again, and all looks ok. I will keep trying. Here is my PIX config, it may be something else. Thanks again very much.

pixfirewall>

en

Password:

pixfirewall# config t

pixfirewall(config)#

pixfirewall(config)#

pixfirewall(config)# wr t

Building configuration...

Cryptochecksum: ***********

[OK]

pixfirewall(config)#

pixfirewall(config)#

pixfirewall(config)# wr t

Building configuration...

:

Saved:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ***** encrypted

passwd *********** encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

pager lines 24

icmp permit any unreachable outside

mtu outside 1500

mtu inside 1500

ip address outside 64.45.231.21 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 64.45.231.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:***************

:

end

[OK]

pixfirewall(config)#

Sounds like you want to do a couple of things:

1) ICMP Traffic permitted to Ping Outside Interface

2) Allow WWW traffic to webserver on inside

access-group OUTSIDE in interface outside

access-list OUTSIDE permit icmp any any

access-list OUTSIDE permit tcp any host IP-of-WWW eq www

static (inside,outside) tcp 64.45.231.21 80 IP-of-WWW 80 netmask 255.255.255.255

Try this and then perform a "clear xlate" then try to connect to your web server. Make sure to change the above config for the right IP of your WWW server.

You may need "icmp permit any outside" to allow anyone to ping the outside interface of your 501.

Let us know how this does ....

peter

pcomeaux, Thank you very much for your reply. I have made all the changes you have suggested, and have enclosed the new PIX listing. I have one question, where you state to change the IP-of-www, With WinXPPro, In tcp properties, the ip address is 192.168.1.2 the other machine is 192.168.1.3, the web server will only be on 192.168.1.2.

The output from www.grc.com is:

=======================================

Your computer at IP:

64.45.231.21

Is being profiled. Please stand by. . .

Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping

(ICMP Echo) requests, making it visible on the Internet.

Most personal firewalls can be configured to block,

drop, and ignore such ping requests in order to better

hide systems from hackers.

This is highly recommended since "Ping" is among the

oldest and most common methods used to locate systems

prior to further exploitation.

=======================================

wr mem

Building configuration...

Cryptochecksum: *****************

[OK]

pixfirewall(config)#

wr t

Building configuration...

:

Saved:PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ********************

hostname pixfirewall

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list OUTSIDE permit icmp any any

access-list OUTSIDE permit tcp any host 192.168.1.2 eq www

pager lines 24

icmp permit any outside

mtu outside 1500

mtu inside 1500

ip address outside 64.45.231.21 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 64.45.231.21 www 192.168.1.2 www netmask 255.255.255.255 0 0

access-group OUTSIDE in interface outside

route outside 0.0.0.0 0.0.0.0 64.45.231.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:****************

:

end

[OK]

pixfirewall(config)#

pixfirewall(config)#

Change the IP in the following ACL:

access-list OUTSIDE permit tcp any host 192.168.1.2 eq www

from 192.168.1.2 to 64.45.231.21 and your web page should load from remote sites.

Give this a try and let us know.

Also, looks like ICMP is working as I can ping the outside of your firewall.

thanks

peter

pcomeaux, Again, thank you very must for your help, and staying with me on this problem. Sorry for the late response, as I just got home. Below is the few lines from the updated instructions I just entered, I just remembered, I did not do a clear xlate after I did the changes, is that required. I think I will leave all the instructions that you gave me, As long as you can ping my computer, I think I am going to try another server. I feel that the PIX is great now, so my problem may be with webweaver server. Again, thank you very much for all of your help.

Guy

=============================================

names

access-list OUTSIDE permit icmp any any

access-list OUTSIDE permit tcp any host 64.45.231.21 eq www

pager lines 24

icmp permit any outside

==============================================