Solved: Re: VERY basic Pix 515E question - Page 2

_-TonyS-_ · ‎01-17-2005

I just pulled the thing out of the box and powered it up.

I put it on our internal network connected a laptop to the inside interface and went through the setup wizard.

I gave the outside interface a static address, added pat for the internal systems (just the above listed laptop) and all seemed well.

There appears to already be an access rule that allows all outbound traffic but I can see anything beyond the inside interface (192.168.1.1) on the laptop.

I can ping the whole world from the pix but the poor internal system sees nothing.

I am very new to Cisco and am sure I'm missing something basic.

Anyone want to help our a newbie?

Thanks!

zroth · ‎01-19-2005

Hi Tony,

I am glad to hear about the final success.

Just two remarks :

1.The above mentioned command route outside 0 0 192.168.0.111 has been already configured in your

PIX (at least what I see in your configuration) and

because 192.168.0.111 is in a connected network (PIX outside interface network),you actually do not need

this route for reaching 192.168.0.111.So I do not suppose this is the reason.

2.PIX is not handing out routing information in this

case (no RIP,no OSPF) and all is done statically.

But anyway,good luck

Sincerely

Zdenek

_-TonyS-_ · ‎01-19-2005

Really?

That is odd then.

I typed the command in the (config#) console and it didn't tell me it was already there.

And suddenly afterward it was all working.

Perhaps a glitch?

zroth · ‎01-20-2005

In the configuration you have sent on the Jan 18 through command sh conf is the default route written.You can check it.Of course this configuration

is the backup one,so it is quite possible that running configuration has been different.

You can check PIX valid routes by command show routes,this is taken from running config.

But anyway,I still do believe you would be able

to reach 192.168.0.111 from your laptop without defining PIX default route under three conditions :

1.The laptop is in the network 192.168.1.0/24

2.The laptop has either default route over 192.168.1.1 or route to 192.168.0.0 over 192.168.1.1

3.The live firewall 192.168.0.111 has to know the route to the network 192.168.1.0 (over 192.168.0.107)

You can try it by config command no route 0 0 192.168.0.111

check show route

Just for fun

Sincerely

Zdenek

zroth · ‎01-18-2005

Hi,

to apply an access-list to an interface you have to

use command access-group (ACL name) in interface (interface name)

An example : You have access-list 101

To apply it on the outside interface

you must type :

access-group 101 in int outside

What you have configured in the ACL 101 is up to you.Essentialy,for IP connection without ICMP you need not any ACL with PIX configured properly.You could try telnet connection from your laptop to the

live firewall,when it allows telnet and knows the route to the inside network 192.168.1.0/24.

If you want to ping the live firewall,then use ACL

allowing echo reply packets from live firewall.In that case I would use access-list allowing all return traffic (ICMP included)

Example :access-list 101 perm ip any any

Then try A.To ping inside PIX interface from your laptop

B.If successfull,try to ping the live firewall

Do not forget to tune ACL after the testing.

HTH

Zdenek

to the

ptaylor · ‎01-27-2005

I have the same issue as Tony and haven't quite figured out it out yet. Tony says that he has his live Firewall's address in the route (is that his gateway?). In my situation what is the IP I should be using in that route ?

The Outside interface of the PIX ?

Or the gateway or inside interface on my router ?

Thanks for your help

Pat

zroth · ‎01-28-2005

Hi,

live firewall address (192.168.0.111) in this case

is default gateway for PIX,defined by the command

route outside 0 0 192.168.0.111.It means,PIX sends

packets aimed to networks with unknown route to this

address.But to reach an address from the network 192.168.0.0/24(GW address 192.168.0.111 included) you need not default route,because this network is connected and therefore known to PIX.

GW is for PIX next hop on the route to any.

HTH

Zdenek