10-20-2003 02:45 PM - edited 02-20-2020 11:03 PM
We currently have a Cisco PIX that connects to our local network and then out to a T1 connection. We added a loadbalancing device that sits between the T1 link and the PIX. I changed the PIX's outside IP address and outside interface default route to fit the configuration change. From on the PIX I can ping out to the Internet. From behind the PIX I cannot ping out to the Internet. I cannot even ping the external PIX interface from a workstation that is behind the PIX (behind the PIX = a workstation on the PIX's LAN). Is there a configuration issue? Is there something that the PIX does by default that I am not aware of?
Bill E.
10-20-2003 03:17 PM
The PIX by default will not allow ICMP to come back thru the outside interface.
If its absolutely important for you to ping to a host on the outside interface of the pix, you'd have to write an ACL, or a conduit.
HTH
~Jason
10-20-2003 03:36 PM
Bill,
For the first part of your message, we really do not have enough info to help in pinpointing the issue. Perhaps we can start with your config (please remove all passwords and IP's). As for part 2, it is expected that you would not be able to ping the PIX outside interface from a host on the inside network. Packets must come in an interface and leave an interface in order to be passed by the PIX. The PIX will not route back onto itself. Hope this helps.
Scott
10-20-2003 04:48 PM
Scott,
Thanks for your post. Below is my config:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit tcp any host X.X.X.67 eq smtp
access-list 101 permit tcp any host X.X.X.67 eq pop3
access-list 101 permit tcp any host X.X.X.67 eq www
access-list 101 permit tcp any host X.X.X.67 eq 3389
access-list 101 permit tcp any host X.X.X.67 eq ftp
access-list 101 permit tcp any host X.X.X.70 eq 1494
access-list 101 permit tcp any host X.X.X.71 eq 1494
access-list 101 permit tcp any host X.X.X.70 eq 1433
access-list 101 permit tcp any host X.X.X.71 eq 1433
access-list 101 permit tcp any host X.X.X.70 eq 3389
access-list 101 permit tcp any host X.X.X.71 eq 3389
access-list 101 permit tcp any host X.X.X.69 eq www
access-list 101 permit tcp any host X.X.X.67 eq 5661
access-list 101 permit tcp any host X.X.X.67 eq 5662
access-list 101 permit udp any host X.X.X.67 eq 5661
access-list 101 permit udp any host X.X.X.67 eq 5662
access-list 101 permit tcp any host X.X.X.67 eq 5671
access-list 101 permit tcp any host X.X.X.67 eq 5672
access-list 101 permit udp any host X.X.X.67 eq 5671
access-list 101 permit udp any host X.X.X.67 eq 5672
access-list 101 permit tcp any host X.X.X.72 eq www
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 192.168.2.2 255.255.255.0
ip address inside 10.10.5.1 255.255.0.0
ip address DMZ 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address DMZ 0.0.0.0
pdm history enable
arp timeout 14400
alias (inside) 10.10.1.26 X.X.X.70 255.255.255.255
alias (inside) 10.10.1.27 X.X.X.71 255.255.255.255
alias (inside) 10.10.1.19 X.X.X.69 255.255.255.255
alias (inside) 10.10.1.30 X.X.X.72 255.255.255.255
alias (DMZ) 192.168.1.67 X.X.X.67 255.255.255.255
static (DMZ,outside) X.X.X.67 192.168.1.67 netmask 255.255.255.255 0 0
static (inside,outside) X.X.X.70 10.10.1.26 netmask 255.255.255.255 0 0
static (inside,outside) X.X.X.71 10.10.1.27 netmask 255.255.255.255 0 0
static (inside,outside) X.X.X.69 10.10.1.19 netmask 255.255.255.255 0 0
static (inside,outside) X.X.X.72 10.10.1.30 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
It is probably worth mentioning that I have proxyarp disabled. Also, our load balancing device does nat and so does the PIX. It is very odd because it seemsthat traffic does not pass from the PIXs internal network to the external. Also, DMZ traffic will not pass to the outbound interface.
Bill E.
10-20-2003 05:31 PM
Hi,
A couple of things worth mentioning here.
1- the access-list 101 should have an entry for the echo replies
access-list 101 permit icmp any any echo-reply
2- You have a few static defined on the PIX, which are probably translating to public address, hence only these IPs will be allowed to go to the internet, provided you have routes configured for these IPs on your Load Balancer.
3- All other devices besides the one in static will not be able to go intenet unless you configure nat for them.
Thanks
Nadeem Khawaja
10-20-2003 06:35 PM
Nadeem,
That is true regarding the access list, I forgot about that. Also the information regarding the static entries is of note. I have been looking at this too long and in the wrong places I think. I will try these and post when I see what results. Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide