Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
411
Views
0
Helpful
5
Replies

PIX506E Basic Configuration

Go to solution
tonny_ecmyy
Level 1
Level 1

‎10-22-2004 01:08 AM - edited ‎03-09-2019 09:11 AM

Hello There...

I would like to ask the Expert whether my conguration is correct or not..Pls Help the beginner

I have pix506E..

Fixed IP line 214.xxx.xxx.161 connected to router 192.168.1.2 and then connected to PIX506E Firewall outside Interface 192.168.1.1.

The Inside Interface Of the Firewall IP is 10.1.1.1, connected to switch..switch to server/client pc with the ip address 10.1.1.10/50.

My problem is the inside and outside user can't connected (also can't ping) although i've make some rules on it. I also can't even surf the internet..the firewall block everything. I'm not sure whether my configuration is correct...

I've attach my configuration..Pls Look through..

Thanks

Tonny

WT Excellence Distribution

Labels:
Preview file
4 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sachinraja
Level 9
Level 9
In response to tonny_ecmyy

‎10-26-2004 02:14 AM

Are you testing now with only the PC 10.1.1.2 ?? you have enabled natting only for this PC now.. so, make sure you test it only with this IP address.

Are you sure you have reverse routes for 202.196.169.170-202.196.169.190 on the internet router pointing back to the PIX outside 192.168.1.1 ? make sure your ISP routes this IP address range.

to allow ping, configure an access-list and apply it on the outside, as icmp is disabled by default.

access-list outside permit icmp any any

access-group outside in interface outside.

all the best !!

View solution in original post

0 Helpful
5 Replies 5

Go to solution
jmia
Level 7
Level 7

‎10-22-2004 03:20 AM

Tonny,

You need to assign a public IP for your outside interface of your pix as at the moment you have assigned the interface a private IP.

Hope this helps.

Jay

0 Helpful

Go to solution
tonny_ecmyy
Level 1
Level 1
In response to jmia

‎10-22-2004 08:00 PM

Hi

I cannot ping or access the router 192.168.1.2 from inside 10.1.1.1. Still couldn't browse the internet, I think..If i can access the router,maybe the problem is solve. I already set the default route to the router. Inside Pc address i fill in like this

IP Address: 10.1.1.2/50

Subnet Mask: 255.0.0.0

Default Gateway: 10.1.1.1 (Pix Inside Address)

Preferred DNS Server: 10.1.1.2

My Operating system is Windows 2003 Server

Not Sure whether my configuration is correct or not.

Thanks for helping

Tonny

0 Helpful

Go to solution
sachinraja
Level 9
Level 9
In response to tonny_ecmyy

‎10-26-2004 02:14 AM

Are you testing now with only the PC 10.1.1.2 ?? you have enabled natting only for this PC now.. so, make sure you test it only with this IP address.

Are you sure you have reverse routes for 202.196.169.170-202.196.169.190 on the internet router pointing back to the PIX outside 192.168.1.1 ? make sure your ISP routes this IP address range.

to allow ping, configure an access-list and apply it on the outside, as icmp is disabled by default.

access-list outside permit icmp any any

access-group outside in interface outside.

all the best !!

0 Helpful

Go to solution
tonny_ecmyy
Level 1
Level 1
In response to sachinraja

‎10-26-2004 07:14 PM

Thanks for replying

Now then I can ping my router and browse the internet. Now i'm going to configure the vpn. Is there any link step-by-step guide to configure vpn in pix506E? I want to use vpn client and Easy Vpn remote in firewall.

Thanks for helping

Tonny

0 Helpful

Go to solution
sachinraja
Level 9
Level 9
In response to tonny_ecmyy

‎10-26-2004 11:02 PM

Hello tonny,

here are the step by step configurations for your 506 pix.

No nat:

nat (inside) 0 access-list 100

access-list 100 permit ip host 192.168.180.1 (server IP which needs access from VPN) 10.1.1.0 255.255.255.0 (IP pool)

ip local pool vpnpool 10.1.1.1-10.1.1.254

Crypto map configuration:

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap client authentication LOCAL

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

Policy configuration:

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

VPN group configuration:

vpngroup abcvpn address-pool vpnpool

vpngroup abcvpn split-tunnel 100

vpngroup abcvpn idle-time 1800

vpngroup abcvpn password ********

username tonny password cisco

Do let us know if you need any more information. All the best !!

0 Helpful
Customers Also Viewed These Support Documents