Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
662
Views
0
Helpful
7
Replies

PIX Multiple Inside Config

r.lusignan
Level 1
Level 1

‎02-14-2008 10:53 AM - edited ‎03-11-2019 05:03 AM

This should be straight forward, but for some reason I'm missing something. I have a PIX with 6 interface

E0 Outside

E1 Inside

E2 DMZ

E3 Guest

The Guest interface is the guest VLAN for the company and I want to allow access to the Internet while blocking all of our internal stuff. Sample config is here:

int e0

nameif outside

ip add 1.1.1.1 255.255.255.0

security-level 0

int e1

nameif inside

ip add 10.10.10.1 255.255.255.0

security-level 100

int e2

nameif dmz

ip add 172.16.1.1 255.255.255.0

security level 50

int e3

nameif Guest

ip add 192.168.1.1 255.255.255.0

security level 90

nat (inside) 1 0 0

nat (Guest) 2 0 0

global (outside) 1 1.1.1.2

global (outside) 2 1.1.1.3

access-list Guest_out permit ip any any

access-gr Guest_out in interface guest

Based on the config above, that should be enough to have the Guest vlan traffic PAT to 1.1.1.3 and have no issue going out?

Am I missing something?

Labels:
0 Helpful
7 Replies 7

acomiskey
Level 10
Level 10

‎02-14-2008 11:04 AM

Typo maybe, capital "G" in guest.

access-group Guest_out in interface Guest

0 Helpful

acomiskey
Level 10
Level 10

‎02-14-2008 11:08 AM

Typo maybe, capital "G" in guest. Although that would not have prevented you from getting outside.

access-group Guest_out in interface Guest

0 Helpful

abinjola
Cisco Employee
Cisco Employee
In response to acomiskey

‎02-14-2008 11:14 AM

There isn't any issue with Typo...the config is absolutely good and would allow all IP traffic from Guest to go outside patting to 1.1.1.3

are you facing any issue ?

0 Helpful

acomiskey
Level 10
Level 10
In response to abinjola

‎02-14-2008 11:20 AM

Actually there is a typo. And as I said, it would not have effected his ability to go outside.

0 Helpful

r.lusignan
Level 1
Level 1
In response to abinjola

‎02-14-2008 11:21 AM

Yes I am, return traffic is not being permitted back in. I can see the xlate going through ie:

Built ICMP connection for faddr x.x.x.x/0 gaddr 1.1.1.3 laddr 192.168.1.x

That outside IP i'm pinging is a router which is running debug ip icmp. I can see the source address of the ping as the global PAT'd address on the Firewall. So the config looks good, return traffic is not getting back through. The ACL on the outside interface shouldn't be blocking the traffic as it was sourced from inside..

0 Helpful

acomiskey
Level 10
Level 10
In response to r.lusignan

‎02-14-2008 11:28 AM

That is not the case with icmp. You must allow it in your outside acl on the firewall.

This also serves as proof there was a typo, as he would have had to allow icmp as well in his Guest acl.

0 Helpful

abinjola
Cisco Employee
Cisco Employee
In response to r.lusignan

‎02-14-2008 11:29 AM

add a line permit icmp any any echo-reply on the outside access-list, if not then create one access-g on outside permitting icmp echo-reply

you are correct firewall doesn't block traffic initiated from inside, however this is ICMP, firewall treats it stateless protocol and consider the return echo reply as different connection

They fixed this issue in code 7.0 and above with "Inspect Icmp" feature

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card