Pix FW 515E - Cannot ping outside interfaces

Unanswered Question
Mar 7th, 2007
User Badges:

I am configuring FW 515E. Attached is the config file.


Cat 4510R ---->FW 515E ----> ISP Router


Cat 4510 has five vlans on it


1) From host on the network I can only ping the inside interface. I cannot ping outside


2)From firewall console I am able to ping both INSIDE and OUTSIDE without any problem


3) I cannot go to internet from insdie. No browsing


Can anyone please help??? I have to get this firewall up and running by end of Tomorrow.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
jain.nitin Thu, 03/08/2007 - 02:19
User Badges:

Hi, You hav to change the natting commands as below. & if you want to ping outside interface of PIX then u shud use ICMP permit any any outside command.


global (outside) 2 A.B.C.D-A.B.C.Z netmask 255.255.C.D

global (outside) 1 A.B.C.C netmask 255.255.C.D

nat (inside) 2 192.168.4.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0


Please do rate if it helps.

Ninja

milimodi_sai Thu, 03/08/2007 - 07:43
User Badges:

Hi Ninja,


Thank you very much for the reply. Attached is my network diagram. I have total of 5 vlans (including mgmt vlan). Do I need to add nat & global for each vlan? How will I do it? I want to use one global pool for all of them? Can you please let me know?



Thank you,

Mili



jain.nitin Thu, 03/08/2007 - 11:14
User Badges:

Hi Mili, Configure natting like this way

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0


it will do nat from all vlans IP & natted to outside interface IP. If you want to define the pool of address then replace interface with pool of public IPs.


If it helps pease do rate this post.


Ninja

jain.nitin Thu, 03/08/2007 - 11:15
User Badges:

remember if u r doing NAT on firewall then dont do NAT on Router.


Ninja

milimodisai Thu, 03/08/2007 - 21:29
User Badges:

Router belongs to ISP. I don't think they are doing NAT.


I changed my nat


nat(inside)1 192.168.4.0 255.55.255.0 A.B.C.D

nat(inside)1 192.168.5.0 255.55.255.0 A.B.C.D

nat(inside)1 192.168.98.0 255.55.255.0 A.B.C.D

nat(inside)1 192.168.99.0 255.55.255.0 A.B.C.D



Now, problem is all the networks except .98 can access internet. I am not sure what is going on.


On switch cat4510 R there are no policies or access lists.


Nothing on the firewall also. Why would .98 not work and all other work?

jain.nitin Fri, 03/09/2007 - 04:33
User Badges:

mili, I suggest you to do dynamic nat instead of static NAT (Pool) just give a try with


global (outside) 1 interface

nat(inside)1 192.168.4.0 255.55.255.0 A.B.C.D

nat(inside)1 192.168.5.0 255.55.255.0 A.B.C.D

nat(inside)1 192.168.98.0 255.55.255.0 A.B.C.D

nat(inside)1 192.168.99.0 255.55.255.0 A.B.C.D

nat(inside) 1 192.168.1.0 255.255.255.0 A.B.C.D


try it out..

jain.nitin Fri, 03/09/2007 - 05:05
User Badges:

another way of doing it is just define global statement with ur pool of IPs & in nat statements u can define as below


nat(inside) 1 192.168.0.0 255.255.0.0


so this nat will include all the networks which u hv inside the pix.


Thanks

which ever works configure that.


Ninja

milimodisai Mon, 03/12/2007 - 16:51
User Badges:

Hi Ninja,


All the suggestions that you suggested are workable.



Excellent input. Thank you so much for your help !!!



-Mili

Actions

This Discussion