03-30-2012 05:59 AM - edited 03-04-2019 03:51 PM
Hello,
I have the following setup.
host PC (192.168.9.3) -----> gateway (192.168.9.2) ----- Pix E1 (192.168.9.1)/Pix E0 (81.x.x.250) ------ Internet
The 192.168.9.2 gateway is a 3560 switch connected to the PIX. I can ping out to the Internet via IP from the PIX, but not via the host PC (192.168.9.3) on the LAN. PIX and gateway configs below. Am I missing something that's preventing me pinging out to the Internet from the internal LAN? Any advice is appreciated.
Many thanks,
Rob
PIX config
test-cal-pix01# sh run
: Saved
:
PIX Version 8.0(3)
!
hostname test-cal-pix01
enable password btf1YD.Vq7mE6vEA encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 81.x.x.250 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup outside
dns server-group BT_DNS
name-server 194.72.6.57
name-server 194.73.82.242
object-group network LOCAL_LAN
network-object 192.168.9.0 255.255.255.0
object-group service Internet_Services tcp
port-object eq www
port-object eq domain
port-object eq https
port-object eq ftp
port-object eq 8080
access-list ACLOUT extended permit tcp object-group LOCAL_LAN any object-group Internet_Services
access-list ACLOUT extended permit icmp object-group LOCAL_LAN any
access-list ACLOUT extended permit udp object-group LOCAL_LAN any eq domain
access-list ACLIN extended permit icmp any any echo-reply
access-list ACLIN extended permit icmp any any unreachable
access-list ACLIN extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging buffered errors
logging trap notifications
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group ACLIN in interface outside
access-group ACLOUT in interface inside
route outside 0.0.0.0 0.0.0.0 195.x.x.45 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c570240e1159a0f83d8ad2c67780deb0
: end
Gateway config
Switch#sh run
Building configuration...
Current configuration : 1583 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable password ###########
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
description uplink to Cisco_PIX
switchport access vlan 9
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
switchport access vlan 9
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
no ip address
!
interface Vlan9
ip address 192.168.9.2 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.9.1
ip route 192.168.9.0 255.255.255.0 192.168.9.1
ip http server
!
!
control-plane
!
!
line con 0
line vty 5 15
!
end
Switch#
03-30-2012 06:20 AM
Hi,
as Cisco guys often say, "It's not a bug, it's a feature." :-)
Read
http://www.cisco.com/image/gif/paws/15246/31.pdf
http://www.cisco.com/image/gif/paws/25708/pixtrace.pdf
for details.
HTH,
Milan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: