- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-27-2002 12:36 PM - edited 02-20-2020 10:27 PM
What's wrong with my config ?
PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
hostname TheWall
domain-name XXXXXX.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.100.2 DC
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list frominisde permit tcp any any eq www
access-list frominisde permit tcp any any eq smtp
access-list inside permit ip any any
access-list inside permit tcp any any
access-list inside permit udp any any
access-list frominside permit tcp any any eq www
pager lines 24
logging on
logging host inside 192.168.100.14
interface ethernet0 10full
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 68.XX.XX.XX 255.255.255.248
ip address inside 192.168.100.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location DC 255.255.255.255 inside
pdm location 192.168.100.14 255.255.255.255 inside
pdm location 192.168.100.252 255.255.255.255 inside
pdm location 192.168.200.0 255.255.255.255 inside
pdm location 192.168.100.0 255.255.255.255 inside
pdm location 68.XX.XX.XX 255.255.255.255 outside
pdm location 192.168.100.250 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 192.168.100.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 68.157.126.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.100.14 255.255.255.255 inside
http 192.168.100.0 255.255.255.0 inside
http 192.168.100.252 255.255.255.255 inside
http 192.168.200.0 255.255.255.255 inside
http 192.168.100.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
vpngroup remote idle-time 1800
telnet 192.168.100.252 255.255.255.255 inside
telnet 192.168.100.0 255.255.255.0 inside
telnet 192.168.200.0 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
TheWall(config)#
Solved! Go to Solution.
- Labels:
-
Other Network Security Topics
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-27-2002 03:31 PM
Remove this line and it should work:
nat (inside) 0 192.168.100.0 255.255.255.0 0 0
This line tells the pix not to translate (nat 0) the source address of packets passing through the pix originating for the 192.168.100.0 network. You should only use the nat 0 command in VPN configs.
Kind Regards,
Tom
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-27-2002 03:31 PM
Remove this line and it should work:
nat (inside) 0 192.168.100.0 255.255.255.0 0 0
This line tells the pix not to translate (nat 0) the source address of packets passing through the pix originating for the 192.168.100.0 network. You should only use the nat 0 command in VPN configs.
Kind Regards,
Tom
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-08-2003 04:41 PM
Thanks....
I can now browse the web but cannot receive e-mail from outside.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-08-2003 05:56 PM
To receive email, if your smtp/pop3 server is inside, you need to create a static translation and leave the smtp traffic coming in (access-list) to your server.
If your pop3 server is outside, you need to leave pop3 traffic going out.
Ben
