Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2051
Views
0
Helpful
3
Replies

routing through PIX / ASA on GNS3

malithperera1
Level 1
Level 1

‎02-08-2011 02:23 PM - edited ‎03-11-2019 12:47 PM

Hi All,

I have the following simple config setup.

ROUTER1---OUTSIDE-----(172.16.1.1/24) PIX (192.168.1.1/24)----INSIDE---------ROUTER2

I  can ping both router connected interfaces from the PIX as well as  outside interfaces of routers. But I cannot ping outside router  interface from inside router. I've pasted the configs from the devices.  I'm trying to figure if this a config or is it a problem with GNS3.

Thank you very much in advance.


PIX config
----------------

pixfirewall(config)# sh run
: Saved
:
PIX Version 7.2(4)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif OUTSIDE
security-level 0
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet1
nameif INSIDE
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list 101 extended permit ip any host 172.16.1.3
access-list 101 extended permit icmp any host 172.16.1.3
pager lines 24
mtu OUTSIDE 1500
mtu INSIDE 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any OUTSIDE
icmp permit any INSIDE
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 1 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE) 172.16.1.3 10.1.1.1 netmask 255.255.255.255
access-group 101 in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 172.16.1.2 1
route INSIDE 10.1.1.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
pixfirewall(config)#


ROUTER 1 CONFIG
--------------------

Router1#sh run
Building configuration...

Current configuration : 740 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef!
!
!
multilink bundle-name authenticated
!
!
archive
log config
hidekeys!
!
!
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.2.2.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 10.1.1.0 255.255.255.0 172.16.1.1
!
!
ip http server
no ip http secure-server!
!
!
control-plane!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

ROUTER 2 CONFIG
-------------------
Router#sh run
Building configuration...

Current configuration : 758 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef!
!
!
multilink bundle-name authenticated
!
!
archive
log config
hidekeys!
!
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
!
!
control-plane!
!
!
line con 0
line aux 0
line vty 1 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end

Labels:
Preview file
23 KB
0 Helpful
3 Replies 3

PAUL GILBERT ARIAS
Level 5
Level 5

‎02-08-2011 03:54 PM

Your icmp traffic is not allowed to return.

please add the following:

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 1024

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect netbios

  inspect icmp

service-policy global_policy global

0 Helpful

malithperera1
Level 1
Level 1
In response to PAUL GILBERT ARIAS

‎03-02-2011 05:10 PM

Thank you very much for the answer.

0 Helpful

PAUL GILBERT ARIAS
Level 5
Level 5
In response to malithperera1

‎03-02-2011 05:16 PM

you are welcome. If possible please mark the question as answered.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card