Please help with PIX 501 basic configuration...

j.rock · ‎10-13-2004

Please, could you help me with basic config with access from inside network 192.168.1.0/24 to outside network 192.168.7.0/24. I have problem with icmp(ping) from inside to outside and other serveces as ftp and http on outside host 192.168.7.1. This is my config...(I'm biginer) :o)

(192.168.1.2 is my comp)

Result of firewall command: "sh runn"

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname firewall

domain-name firewall.cz

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list inside_access_in permit icmp any any

access-list outside_access_in permit icmp any any

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 192.168.7.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.2 255.255.255.255 inside

pdm history enable

arp timeout 14400

nat (inside) 0 192.168.1.0 255.255.255.0 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

rip outside default version 1

rip inside default version 1

route outside 0.0.0.0 0.0.0.0 192.168.7.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.2 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.1.2 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:xxxx

: end

pcomeaux · ‎10-13-2004

So here's the things that I check:

1 - How are interfaces setup:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

This is setup ok.

2 - What are the IP addresses on the interface:

ip address outside 192.168.7.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

This is setup ok.

3 - What does the routing look like:

route outside 0.0.0.0 0.0.0.0 192.168.7.1 1

This is setup ok.

4 - What does the NAT look like:

nat (inside) 0 192.168.1.0 255.255.255.0 0 0

This is setup not to translate the 192.168.1.0 hosts as they pass through the pix.

5 - What Access-Groups are applied to the interfaces:

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

This is setup ok.

6 - Since Access-Groups are applied to the interfaces, what do the Access-lists look like:

access-list inside_access_in permit icmp any any

access-list outside_access_in permit icmp any any

This is when I notice something peculiar.

In your attempt to get ICMP working, you modified the Pix's default behavior that allows all connections from the inside to go out. In the access-list inside_access_in, you've limited traffic that arrives on the inside interface to just ICMP. You need to use PDM to permit ip any any or whatever you would like to flow through the Pix from the inside to the outside.

Give this a try and let us know what happens.

thanks

peter

j.rock · ‎10-13-2004

Peter, please, could you send me some basic config example, where is allows icmp traffic? My config still doesn't working. I have 6.3(4) IOS in PIX501.

Thank you...

m.sir · ‎10-14-2004

Did try ICMP command?

For example in global configuration mode

icmp permit any unreachable outside

icmp permit any echo-reply outside

bhatok · ‎10-18-2004

I'm not sure about the 2 Access list commands you currently have so I'd get rid of them and the 2 access group commands. You can do this by entering the same commands except put a "no" in front of it.

no access-list inside_access_in permit icmp any any

Use this instead:

access-list 1 permit icmp any any echo-reply

access-group 1 in interface outside

This allows any replies from ping requests to come through the outside interface.