Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1678
Views
0
Helpful
4
Replies

Pix 506 Simple Config?

agoodwin
Level 1
Level 1

‎10-12-2001 02:43 AM - edited ‎02-20-2020 09:52 PM

Hi, I have been having problems configuring a pix for a customers site and was wondering if anybody might be able to help. I have written down as much info below as possible but please tell me if you need any more. Any help is greatly appreciated.

cheers

Andy

inside network 192.9.200.x with 192.9.200.5 as a proxy server for all machines. This has a second nic on 10.0.0.2

Pix is configured as "inside" 10.0.0.5 and "outside" 192.19.200.1

Router is setup as 192.19.200.10 and can connect to isp ok.

Pix can "ping outside" to a dns server at isp end so I know it can get out. Pix can also ping internal ip addresses on its inside interface.

I have setup the pix like this:

interface ethernet0 10baseT

interface ethernet1 10baseT

ip address inside 10.0.0.5 255.255.255.0

ip address outside 192.19.200.1 255.255.255.0

global (outside) 192.19.200.20-192.19.200.200 netmask 255.255.255.0

nat (inside) 1 0 0 0 0

route outside 192.19.200.10

which I believe should give me access out through web?

I have tried adding "conduit permit icmp any any" to see if I can ping out but the client fails with a time out. If I use "debug icmp trace" it appears the ping goes out to the isp but nothing is coming back in ie: 10.0.0.2>192.19.200.20>158.152.1.58

but no echo reply.

The one thing I think im not sure on is the global command. Should it be set to a range on the same network as the router and pix outside interface?

The 10.0.0.2 server on the inside is really the only one that will need to access the internet as it will be a proxy server for the rest. It will be running exchange as well but I "think?" the fixup commands should already allow smtp and www out and in?

sorry for the long winded explanation.

thanks for any help.

cheers

Andy

0 Helpful
4 Replies 4

agoodwin
Level 1
Level 1

‎10-12-2001 02:51 AM

Sorry it should have read.

route outside 0 0 192.19.200.10 1

also I know about the static and conduit commands but am I right in thinking that i shouldn't need them as the pix will expect and allow back in replies?

thanks

0 Helpful

agoodwin
Level 1
Level 1
In response to agoodwin

‎10-12-2001 03:58 AM

and one last thing.

Using ping from the 10.0.0.2 machine I now eventually get "inbound icmp unreachable (code 3) 192.19.200.10 (router) > 192.19.200.20 (global ip) > 10.0.0.2 (machine that was pinging.

Don't know if that helps or not.

cheers

Andy

0 Helpful

sharka
Level 1
Level 1

‎10-13-2001 11:18 PM

Hi Andy,

0 Helpful

rrbleeker
Level 1
Level 1
In response to sharka

‎10-15-2001 02:27 PM

If you want all your proxy traffic to pass throught the PIX firewall, you need to change the way your network is configured. The proxy server should not have an interface in the external network, but be connected only on the inside network and use the PIX firewall as its default gateway. I also would be much more restrictive in who is allowed to use nat (if your internal users uses the Proxy server, they should not be allowed to pass the firewall directly).

Email me if you would like some assistance (rob.bleeker@steeves.net).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card