Re: PIX outside interface

alvarez_rafa · ‎12-16-2006

Hello. I am trying to get the outside interface (E0) on a 515 pix to communicate to a router. I got the following ip addresses:

Router: 216.x.x.129

Pix: 216.x.x.131

Netmask of 25 bits.

I got a laptop connected to this network (via a switch), i put it's default gateway to be the router interface and set up its DNS. The laptop is able to connect to the internet. Now, i disconnected the laptop and put the same ip i used on the pix interface, in the same ip network and everything, but i can't ping the router's ip address.

What am i doing wrong or what am i missing?

nicholash101 · ‎12-17-2006

Is the link speed and duplex configured correctly between the pix and router?

Does a sh int eth0 show the link as being down on the pix?

Until you assign link speed, duplex, and an IP Address (even if it's just auto/auto) to the interfaces on the pix they will remain in an administratively down state.

I've also run into a situation where a freshly configured pix 501 (OS 6.3(4)) was working perfectly before deployment but failed to work at deployment time even though no configuration changes were made in the interim. I couldn't ping the DG from the pix.

I ended up erasing the configuration, clearing the ssh keys, and reconfiguring it before it would work in the new location.

alvarez_rafa · ‎12-17-2006

Hi man, thanks for the reply. I found the problem!!! This pix was on a failover group, and by some strange reason, when disconnecting the failover link, it didn't become master. So i just went ahead and disabled failover and the pix started pinging fine.

Thanks for the help man. In fact, that's gonna help me out later when setting up the other interfaces on the pix.

petpeterpeace · ‎01-17-2007

alvarez_rafa,

Im new to pix firewall, I have a new pix515E. plz help me how to configure the pix so that I can ping from inside to outside interface and vice versa. also I can configure to telnet from my PC to pix via inside interface, but cannot to outside interface. plz help me.

your help would be greatly appriciated.

Peter,

petpeterpeace@hotmail.com

sayeedk · ‎12-18-2006

Probably your laptop as arp entry cached, clear the ARP on the laptop.

HTH

SK

sayeedk · ‎01-17-2007

Hi

If you are pinging from Pix it should work, try tying the ip address agian, shut and no shut the interface , clear arp cache on router and pix, this might do some magic, otherwise it difficult to understand why it not wiorking.

if you pinging behind the pix from a laptop, then there could me several issues.

Even tough High to Low works with access-list but ICMP is exception, so make sure you are allowing ICMP to come back. Also check you Global and Nat or Static.

HTH

SK

petpeterpeace · ‎01-22-2007

thank you for your help,

yes, I can ping to inside interface (if i connect cross cable directly to this interface, or i can also ping to the outside interface (if i connect cross cable from my pc directly to this interface), but cannot ping to inside interface (if my PC is connecting from ouside interface and vice versa)

This is the basic configuration:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

interface ethernet0 100basetx

interface ethernet1 100basetx

ip address outside 209.165.201.3 255.255.255.224

ip address inside 209.165.202.129 255.255.255.0

hostname pixfirewall

arp timeout 14400

no failover

names

pager lines 24

logging buffered debugging

access-list acl_out permit icmp any any

access-group acl_out in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00

udp 0:02:00 rpc 0:10:00 h323 0:05:00

sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server community public

mtu outside 1500

mtu inside 1500

plz give me your ideas

thanks so much

Peter