Re: Simple Pix Newbie Question

kevjtaylor · ‎02-10-2005

I've set up a small lab PIX515E(inside interace) and PC connected to the same switch on my desk.

The PIX (outside interface) is connected to another switch which has access to a router. Of course IP addresses have been changed to protect the Innocent ;)

My dilemma, I am able to ping outside addresses from the PIX on different subnets. However,from the PC I am able to only ping the PIX inside interface and hosts on the CONNECTED 171.30 route as evidenced in my config see below (FYI my default gateway on the PC is the PIX inside interface), I would like for the PC to be able to ping/telnet other devices on the other networks HELP.

Config:

: Saved

: Written by enable_15 at 06:30:18.946 UTC Thu Feb 10 2005

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

nameif ethernet3 intf3 security15

nameif ethernet4 intf4 security20

nameif ethernet5 intf5 security25

enable password xxxx

passwd xxx

hostname BubbaPix

domain-name xxxx

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 permit tcp any any eq telnet

access-list 100 permit udp any any

pager lines 24

icmp permit any echo-reply outside

icmp permit any unreachable outside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 171.x.x.x.x.255.0

ip address inside 192.168.1.2 255.255.255.0

no ip address intf2

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm history enable

arp timeout 14400

global (outside) 1 171.x.x.102

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 171.30.82.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.2 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxxx

: end

jmia · ‎02-10-2005

Jon,

Have read of the following document:

http://www.cisco.com/warp/public/110/31.html

Let me know if this helps out.

Jay

kevjtaylor · ‎02-10-2005

Thanks I'm reading the doc as I type I'm 64bit ;)

kevjtaylor · ‎02-10-2005

Hmmm still no luck. From the diagram I'm assuming the PIX and PC are on the same switch my environment is similar and I am still unable to ping. There unfortunately isn't anything in the doc about default gateway setting for the PC in the diagram :(

ewong0088 · ‎02-10-2005

Set your GW to your inside router, not the Pix. Pix is not a router and it, by design, denies traffic going out from where the packets coming in.

If you set your GW to Pix, when you try to get to your other subnets, essentially you are going from your PC to Pix (inside interface), Pix realizes that where you would like to go is only reachable via the inside interface. But the problem is, you can't: in and out from/to the same interface.

Hope this helps. Eric

kevjtaylor · ‎02-10-2005

I don't have an inside router as I'm connected directly to a switch, the same switch as the PIX inside interface.

Shouldn't the PIX trust traffic routed to it by a device on the inside interface and when it receives the packet for an outbound host use it's static route for the next hop? Yes, I agree and have read it's not a router.

Any other suggestions? Should I put the 171.30 router as my next hop? Would PIX forward the packet?

Thanks for your assistance

mjgower · ‎02-10-2005

It sounds like the PC and PIX are configured correctly. Does the outside router have a route to the 192.168.1.0 network?

Also, you can try logging on the PIX and/or router to see if the traffic is being dropped somewhere.

HTH,

Matt

kevjtaylor · ‎02-10-2005

The outside router doesn't have a route back to 192.168.1.0. But if I nat the outgoing address with 171.30.82.102 as the config file states will the reply packet find it's way back at least to the 171.30.82 subnet? Should I do a static nat for my PC behind the PIX?