Re: Pix FW 515E - Cannot ping outside interfaces

milimodi_sai · ‎03-07-2007

I am configuring FW 515E. Attached is the config file.

Cat 4510R ---->FW 515E ----> ISP Router

Cat 4510 has five vlans on it

1) From host on the network I can only ping the inside interface. I cannot ping outside

2)From firewall console I am able to ping both INSIDE and OUTSIDE without any problem

3) I cannot go to internet from insdie. No browsing

Can anyone please help??? I have to get this firewall up and running by end of Tomorrow.

jain.nitin · ‎03-08-2007

Hi, You hav to change the natting commands as below. & if you want to ping outside interface of PIX then u shud use ICMP permit any any outside command.

global (outside) 2 A.B.C.D-A.B.C.Z netmask 255.255.C.D

global (outside) 1 A.B.C.C netmask 255.255.C.D

nat (inside) 2 192.168.4.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

Please do rate if it helps.

Ninja

milimodi_sai · ‎03-08-2007

Hi Ninja,

Thank you very much for the reply. Attached is my network diagram. I have total of 5 vlans (including mgmt vlan). Do I need to add nat & global for each vlan? How will I do it? I want to use one global pool for all of them? Can you please let me know?

Thank you,

Mili

jain.nitin · ‎03-08-2007

Hi Mili, Configure natting like this way

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

it will do nat from all vlans IP & natted to outside interface IP. If you want to define the pool of address then replace interface with pool of public IPs.

If it helps pease do rate this post.

Ninja

jain.nitin · ‎03-08-2007

remember if u r doing NAT on firewall then dont do NAT on Router.

Ninja

milimodisai · ‎03-08-2007

Router belongs to ISP. I don't think they are doing NAT.

I changed my nat

nat(inside)1 192.168.4.0 255.55.255.0 A.B.C.D

nat(inside)1 192.168.5.0 255.55.255.0 A.B.C.D

nat(inside)1 192.168.98.0 255.55.255.0 A.B.C.D

nat(inside)1 192.168.99.0 255.55.255.0 A.B.C.D

Now, problem is all the networks except .98 can access internet. I am not sure what is going on.

On switch cat4510 R there are no policies or access lists.

Nothing on the firewall also. Why would .98 not work and all other work?

jain.nitin · ‎03-09-2007

mili, I suggest you to do dynamic nat instead of static NAT (Pool) just give a try with

global (outside) 1 interface

nat(inside)1 192.168.4.0 255.55.255.0 A.B.C.D

nat(inside)1 192.168.5.0 255.55.255.0 A.B.C.D

nat(inside)1 192.168.98.0 255.55.255.0 A.B.C.D

nat(inside)1 192.168.99.0 255.55.255.0 A.B.C.D

nat(inside) 1 192.168.1.0 255.255.255.0 A.B.C.D

try it out..

jain.nitin · ‎03-09-2007

another way of doing it is just define global statement with ur pool of IPs & in nat statements u can define as below

nat(inside) 1 192.168.0.0 255.255.0.0

so this nat will include all the networks which u hv inside the pix.

Thanks

which ever works configure that.

Ninja

milimodisai · ‎03-12-2007

Hi Ninja,

All the suggestions that you suggested are workable.

Excellent input. Thank you so much for your help !!!

-Mili