cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
808
Views
8
Helpful
3
Replies

PIX help Can not ping DMZ from inside or outside.

jblancke
Level 1
Level 1

I have been tasked with the project of configing this PIX. I am new but now just a little about the PIX.

I can not ping any machines in the DMZ or from the inside or outside.

Please help

This is my config

Building configuration...

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto

interface ethernet4 auto

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 InetDMZ security50

nameif ethernet3 RASDMZ security45

nameif ethernet4 ISADMZ security40

nameif ethernet5 spare security1

enable password xxxxxxxxxx encrypted

passwd xxxxxx encrypted

hostname xxxxxxPix

domain-name xxxxxxx.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 10.59.64.70 Exchange

name 10.59.64.80 SMTP

name 192.168.12.10 RAS

object-group service Exchange tcp

port-object range 5000 5001

port-object eq www

port-object eq smtp

port-object eq 135

object-group service Deny_out tcp

port-object range aol aol

port-object eq 5050

port-object eq 7320

port-object eq 3574

port-object eq 1503

port-object eq 4443

port-object eq 6891

port-object eq 24613

port-object eq 1863

port-object eq 1214

port-object range 6346 6347

port-object eq netbios-ssn

port-object eq aol

port-object eq irc

object-group service Deny_outudp udp

port-object range 13324 13325

port-object eq netbios-ns

object-group icmp-type icmp

access-list outside_access_in permit tcp any host xxx.xxx.198.129 eq smtp log

access-list outside_access_in permit tcp any host xxx.xxx.198.128 object-group Exchange log

access-list outside_access_in permit gre any host xxx.xxx.198.70 log

access-list outside_access_in permit tcp any host xxx.xxx.198.70 eq pptp log

access-list outside_access_in permit icmp any host xxx.xxx.198.70 log

access-list outside_access_in permit tcp any host xxx.xxx.198.130 eq www log

access-list outside_access_in permit tcp any host xxx.xxx.198.130 eq https log

access-list outside_access_in permit tcp any host xxx.xxx.198.131 eq www log

access-list outside_access_in permit tcp any host xxx.xxx.198.131 eq https log

access-list outside_access_in permit tcp any host xxx.xxx.198.132 eq www log

access-list outside_access_in permit tcp any host xxx.xxx.198.132 eq https log

access-list outside_access_in permit icmp any host xxx.xxx.198.128 log

access-list outside_access_in permit icmp any host xxx.xxx.198.129 log

access-list outside_access_in permit icmp any host xxx.xxx.198.130 log

access-list outside_access_in permit icmp any host xxx.xxx.198.131 log

access-list outside_access_in permit icmp any host xxx.xxx.198.132 log

access-list acl_inside permit ip any any log

access-list acl_inside permit icmp any any log

access-list acl_inside permit udp any any log

access-list RASDMZ_access_in permit icmp any any

access-list No_NAT permit ip 10.0.0.0 255.0.0.0 10.57.9.0 255.255.255.0

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

mtu InetDMZ 1500

mtu RASDMZ 1500

mtu ISADMZ 1500

mtu spare 1500

ip address outside xxx.xxx.198.252 255.255.255.0

ip address inside 10.57.3.2 255.255.255.0

ip address InetDMZ 192.168.10.1 255.255.255.0

ip address RASDMZ 192.168.12.1 255.255.255.0

ip address ISADMZ 192.168.11.1 255.255.255.0

no ip address spare

ip audit info action alarm

ip audit attack action alarm

ip audit signature 1000 disable

ip audit signature 1102 disable

ip audit signature 2154 disable

ip audit signature 4050 disable

ip audit signature 4051 disable

ip audit signature 6190 disable

ip local pool pptp 10.57.9.1-10.57.9.254

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address InetDMZ

no failover ip address RASDMZ

no failover ip address ISADMZ

no failover ip address spare

pdm location 10.0.1.0 255.255.255.0 inside

pdm location 10.59.64.3 255.255.255.255 inside

pdm location 10.58.65.9 255.255.255.255 inside

pdm location 10.59.64.0 255.255.224.0 inside

pdm location 10.0.0.0 255.0.0.0 inside

pdm location 0.0.0.0 255.255.255.255 outside

pdm location 10.0.0.0 255.0.0.0 RASDMZ

pdm location RAS 255.255.255.255 RASDMZ

pdm location Exchange 255.255.255.255 inside

pdm location SMTP 255.255.255.255 inside

pdm location 192.168.11.10 255.255.255.255 inside

pdm location 10.57.9.0 255.255.255.0 RASDMZ

pdm location 192.168.11.11 255.255.255.255 ISADMZ

pdm location 192.168.11.12 255.255.255.255 ISADMZ

pdm location 192.168.11.13 255.255.255.255 ISADMZ

pdm logging errors 100

pdm history enable

arp timeout 14400

global (outside) 10 xxx.xxx.198.241

global (InetDMZ) 10 192.168.10.128-192.168.10.254 netmask 255.255.255.0

global (RASDMZ) 10 192.168.12.128-192.168.12.254 netmask 255.255.255.0

global (ISADMZ) 10 192.168.11.128-192.168.11.254 netmask 255.255.255.0

nat (inside) 0 access-list No_NAT

nat (InetDMZ) 10 0.0.0.0 0.0.0.0 0 0

nat (RASDMZ) 10 0.0.0.0 0.0.0.0 0 0

nat (ISADMZ) 10 0.0.0.0 0.0.0.0 0 0

static (RASDMZ,outside) xxx.xxx.198.70 RAS netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.198.129 SMTP netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.198.128 Exchange netmask 255.255.255.255 0 0

static (ISADMZ,outside) xxx.xxx.198.30 192.168.11.11 netmask 255.255.255.255 0 0

static (ISADMZ,outside) xxx.xxx.198.31 192.168.11.12 netmask 255.255.255.255 0 0

static (ISADMZ,outside) xxx.xxx.198.32 192.168.11.13 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group acl_inside in interface inside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.198.251 1

route inside 10.0.0.0 255.0.0.0 10.57.3.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 10.58.65.9 255.255.255.255 inside

http 10.59.64.0 255.255.224.0 inside

http 10.0.1.0 255.255.255.0 inside

no snmp-server location

snmp-server contact James Blancke

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

telnet 10.58.65.9 255.255.255.255 inside

telnet 10.59.64.0 255.255.224.0 inside

telnet 10.0.1.0 255.255.255.0 inside

telnet timeout 15

ssh timeout 5

console timeout 0

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication pap

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto

vpdn group PPTP-VPDN-GROUP client configuration address local pptp

vpdn group PPTP-VPDN-GROUP client configuration dns 10.59.64.50 10.56.64.51

vpdn group PPTP-VPDN-GROUP client configuration wins 10.59.64.50 10.56.64.51

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username hanscomb password *********

vpdn enable outside

username Hanscomb password xxxxxx encrypted privilege 15

terminal width 90

: end

[OK]

3 Replies 3

gfullage
Cisco Employee
Cisco Employee

The PIX does not allow ICMP packets similarly to how it handles UDP/TCP packets in between interfaces, you always hav eto specifically allow them in.

access-group RASDMZ_access_in in interface RASDMZ

should get you going (for the RASDMZ interface at least)

thanks your solution helped me as well

Regards

Nitin Mohan

koaps
Level 1
Level 1

You put the any any in the inside interface, should be in the DMZ interface.

Try that.

-k

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: