Re: Routing with PIX 506

gwion.evans · ‎03-11-2002

I have a pix with and address of 192.168.2.250 and have just installed a Cisco 760 to route to a WAN address 192.168.0.0. I can ping everything on the other side of the WAN link from the 760 and the pix but not from any pcs. I have the following on the pix:

route inside 192.168.0.0 255.255.255.0 192.168.2.251 1

Any ideas

tmellen · ‎03-12-2002

Do you have the NAT statements on the Pix? Have you created an ACL, or Conduit to permit icmp traffic? Are you trying to ping outside, or to a dmz interface, or from the outside to the inside?

gwion.evans · ‎03-19-2002

yes as follows:

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-list acl_out permit icmp any any

I'm trying to ping from the inside to a WAN link on the inside. I can ping both Pix and Router but cannot see anything on the other side of the router

0r-lau · ‎03-20-2002

I think the "route inside" should be "route outside" instead.

If you want to allow icmp (ping)replies through the 506, you should use

access-list acl_in permit icmp any any echo-reply

access-list acl_in permit icmp any any time-exceeded

and apply this to the outside interface, like this,

access-group acl-in in interface outside

Also remember to set the gateway of your PCs to the ip of the inside interface of the 506.

Hope this helps.

Regards,

Ron

jldediego · ‎03-20-2002

Are you using nat or napt at the router?

Maybe you are not using public and legal ip address to access the internet, so when icmp packets responses try to come back, don't recognize the source ip address.

Regards.