12-27-2002 08:25 AM - edited 02-20-2020 10:27 PM
I have a 515e working fine at one location, but my 501 at a different location will not pass traffic through.
I have a DSL modem connected to the 501 on the outside interface, vpdn is authenticating to it over pppoe. I can ping the outside world from within the firewall over console or telnet, and I can ping the internal network 192.168.51.0 from within the firewall. From the network (51.0 ) I can ping the firewall's inside nic (192.168.51.1) but cannot ping or see any traffic through to the outside interface.
The following is my config:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******** encrypted
passwd ********* encrypted
hostname Const
domain-name ***********.com
fixup protocols.....
access-list acl_outbound permit ip 192.168.51.0 255.255.255.0 any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.51.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location............
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_outbound in interface inside
timeouts.....
...aaa and http server entries, snmp, etc
...
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname yearround2
vpdn group pppoex ppp authentication pap
vpdn username **** password *******
terminal ....
:end
What am I missing here? I have compared it to my 515e's settings and cant see where its not crossing.
Thank you very much for your time,
Dave
12-27-2002 09:54 AM
create an inbound access list with the following commands:
access-list acl_inbound permit icmp any any echo-reply
access-list acl_inbound permit icmp any any unreachable
access-list acl_inbound permit icmp any any time-exceeded
access-group acl_inbound in interface outside
12-27-2002 11:02 AM
No, its not that. If you notice I do have two icmp permit lines in there. These from my understanding supercede the access-lists, and I have also tried ,just to make sure it wasnt the lack of an access-list inbound, to put a permit ip any any on the outside interface and that didnt help.
I fear its something to do with my nat or global, but for the life of me I dont see it. What I did for the 515e isnt working on this one.
Thanks for your help though and for any more anyone can offer.
Dave
12-27-2002 12:05 PM
Your nat and global commands are correct. I have a PIX 501 at home w/ the same commands. The icmp command applies to traffic terminating on the PIX's interface, where the access-list and conduit command applies to traffic passing through the PIX.
http://www.cisco.com/warp/customer/110/31.html
http://www.cisco.com/warp/customer/110/pixtrace.html
Additionally, it might be necessary apply a permit icmp statement to your acl_outbound access list.
12-27-2002 01:45 PM
well, I can now ping out at least, I still dont have a DNS server at this location since we are supposed to be using the one on the other side of a VPN I am trying to erect between the two PIX's, but this part of my issues seems to be resolved. :)
thx
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: