02-28-2006 11:42 AM - edited 02-21-2020 12:44 AM
I have a pix 501 10 user. I can ping from the console to any public IP Address, but not from an inside address. I am including my config in hopes that someone can tell me what I am doing wrong for my inside to outside connectivity. TIA
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside ecurity100
enable password xxxx
passwd xxxx
hostname BarberPix
domain-name barberatty.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
mtu outside 1500
mtu inside 1500
ip address outside 12.39.123.70 255.255.255.128
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 12.39.123.3 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.2-192.168.10.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
02-28-2006 12:16 PM
You need to configure an access-list to allow the icmp replys from the Internet. Note that ICMP is not a stateful protocol.
ICMP Traffic on PIX Firewall
Source:
The PIX and the traceroute Command
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml
Handling ICMP Pings with the PIX Firewall
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
Access-List example for traceroute :
#Microsoft:
access-list 101 permit icmp any interface outside unreachable
access-list 101 permit icmp any interface outside time-exceeded
access-list 101 permit icmp any interface outside echo-reply
#UNIX:
access-list 101 permit icmp any interface outside unreachable
access-list 101 permit icmp any interface outside time-exceeded
#Finaly activate the ACL on the interface:
access-group 101 in interface outside
sincerely
Patrick
02-28-2006 12:26 PM
Thanks that did the trick along with dns entries, I am good to go.
02-28-2006 12:17 PM
Do you have a dns server configured on the machines? I notice there isn't one in the config.
Steve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide