Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
380
Views
0
Helpful
3
Replies

Pix 515E Outbound Configuration

raju
Level 1
Level 1

‎11-29-2003 06:33 AM - edited ‎02-20-2020 11:07 PM

Hello,

I'm trying to setup a PIX 515E in the lab for learning .I've configured ether0 with IP address 212.100.211.1/24 and ether1 with 192.168.10.1 /24 . Ether0 Interface of Pix is connected with a PC having IP address of 212.100.211.2 /24 using cross over cable and Ether1 Interface is connected with another PC , having IP address 192.168.10.2 /24 using Cross cable. I'm trying to initiate a outbound connection from 192.168.10.2 to the PC of 212.100.211.2 ,but it does not work. I've created NAT & Global , no use. From this PC , I can't able to ping "outside "Interface address of PIX .From PIX , I can able to ping both the PC's connected to outside & Inside Interfaces.

Thanks.

Raju

0 Helpful
3 Replies 3

l.mourits
Level 5
Level 5

‎11-29-2003 01:19 PM

Hi Raju,

If you use ping for test, you have to setup an accesslist on the outside interface which permits the returning ICMP-packets.

Remember there is no need to setup an access-list for responsepackets on outbound tcp and udp sessions. Reason for this difference is that PIX´s ASA (the statefull inspection mechanism) does not handle ICMP, but does handle other traffic.

So, when you setup your PIX like you described, ICMP won´t work, but other traffic will. Try to telnet or http to the outside and you will see that it works.

Hope this helps,

Leo

0 Helpful

rgrcommo
Level 1
Level 1

‎11-29-2003 03:04 PM

cut-in-paste below in your pix then it will work.

-----------------

!

access-list permit_out_in permit icmp host 212.100.211.2 host 212.100.211.50

access-group permit_out_in in interface outside

!

static (i,o) 212.100.211.1 192.168.10.1

static (i,o) 212.100.211.50 192.168.10.2

!

route out 0 0 212.100.211.1

!

glo (out) 1 212.100.211.40-212.100.211.60

glo (out) 1 212.100.211.35 interface outside

nat (in) 1 0 0

logging on

logging con 7

!

---------------------------------

Make sure you hosts PC have their gateways set correctly. PC1 should have a gateway of the outside interface of the pix. PC2 should have a gateway of the inside PIX.

From the PIX do this:

pix(config)# clear xlate

pix# ping out 212.100.211.2

you should be getting a reply. Then:

pix# ping in 192.168.10.2

you should be getting a reply.

Ping the inside interface of the pix from PC2.

you should be getting a reply.

Now goto PC1 on the outside interface and in dos ping 212.100.211.50

you should get a reply.

This is one way of doing it. You may need to use another way for your final config depending on how many global addrs you have.

If for some reason you can not ping use debug icmp trace to see where the packet is going.

pix(config)# debug icmp trace

Jeff

0 Helpful

raju
Level 1
Level 1
In response to rgrcommo

‎11-30-2003 09:17 PM

Thanks Jeff . It works .

Regards.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card