Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
576
Views
0
Helpful
4
Replies

501 PIX trouble

dsingleterry
Level 1
Level 1

‎12-27-2002 08:25 AM - edited ‎02-20-2020 10:27 PM

I have a 515e working fine at one location, but my 501 at a different location will not pass traffic through.

I have a DSL modem connected to the 501 on the outside interface, vpdn is authenticating to it over pppoe. I can ping the outside world from within the firewall over console or telnet, and I can ping the internal network 192.168.51.0 from within the firewall. From the network (51.0 ) I can ping the firewall's inside nic (192.168.51.1) but cannot ping or see any traffic through to the outside interface.

The following is my config:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ******** encrypted

passwd ********* encrypted

hostname Const

domain-name ***********.com

fixup protocols.....

access-list acl_outbound permit ip 192.168.51.0 255.255.255.0 any

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.51.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location............

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_outbound in interface inside

timeouts.....

...aaa and http server entries, snmp, etc

...

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname yearround2

vpdn group pppoex ppp authentication pap

vpdn username **** password *******

terminal ....

:end

What am I missing here? I have compared it to my 515e's settings and cant see where its not crossing.

Thank you very much for your time,

Dave

0 Helpful
4 Replies 4

bradd.hammond
Level 1
Level 1

‎12-27-2002 09:54 AM

create an inbound access list with the following commands:

access-list acl_inbound permit icmp any any echo-reply

access-list acl_inbound permit icmp any any unreachable

access-list acl_inbound permit icmp any any time-exceeded

access-group acl_inbound in interface outside

0 Helpful

dsingleterry
Level 1
Level 1
In response to bradd.hammond

‎12-27-2002 11:02 AM

No, its not that. If you notice I do have two icmp permit lines in there. These from my understanding supercede the access-lists, and I have also tried ,just to make sure it wasnt the lack of an access-list inbound, to put a permit ip any any on the outside interface and that didnt help.

I fear its something to do with my nat or global, but for the life of me I dont see it. What I did for the 515e isnt working on this one.

Thanks for your help though and for any more anyone can offer.

Dave

0 Helpful

bradd.hammond
Level 1
Level 1
In response to dsingleterry

‎12-27-2002 12:05 PM

Your nat and global commands are correct. I have a PIX 501 at home w/ the same commands. The icmp command applies to traffic terminating on the PIX's interface, where the access-list and conduit command applies to traffic passing through the PIX.

http://www.cisco.com/warp/customer/110/31.html

http://www.cisco.com/warp/customer/110/pixtrace.html

Additionally, it might be necessary apply a permit icmp statement to your acl_outbound access list.

0 Helpful

dsingleterry
Level 1
Level 1
In response to bradd.hammond

‎12-27-2002 01:45 PM

well, I can now ping out at least, I still dont have a DNS server at this location since we are supposed to be using the one on the other side of a VPN I am trying to erect between the two PIX's, but this part of my issues seems to be resolved. :)

thx

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card