05-08-2007 05:28 AM - edited 03-05-2019 03:56 PM
I've got the following scenario: internal LAN at 192.168.0.x, connected to inside port of 506e. Outside port connected to cable router (SMC 8014). Cable router supplies address to 506e (10.1.10.x).
I've specified address pools as PAT using the assigned port addresses, but I can't ping through the 506e (i.e., I can't ping to 10.1.10.1).
I'm probably just missing something obvious, but I'll be grateful for any advice. Config attached.
Thanks,
dpm
Solved! Go to Solution.
05-09-2007 11:59 AM
What fixed it?
Here's everything you ever wanted to know about PIX.
http://cisco.com/en/US/products/sw/secursw/ps2120/tsd_products_support_series_home.html
Command references have all cli commands. Also check out the configuration guides.
Please rate these if they help.
05-08-2007 05:39 AM
Hi
Is 10.1.10.1 the ISP address ?.
Ping uses ICMP which is not stateful so you need to explicitly allow it back through your firewall.
Add this to you config
1) access-list outside_in permit icmp host 10.1.10.1 any (note you can change the any to a host from your internal network)
2) access-group outside_in in interface outside.
HTH
Jon
05-08-2007 06:41 AM
Jon,
No, the 8014 is a cable modem/router. It NATs from the internet address to 10.1.10.x (it gave the PIX 10.1.10.103).
I'm only using ping as an example. I don't think anything is routed through to the cable router. If I connect a PC directly to the cable router everything works fine. But I can't seem to get anything across the PIX.
Thanks,
Dean
05-08-2007 11:13 AM
What rules do you have on your inside interface?
05-09-2007 04:08 AM
05-09-2007 11:28 AM
You have some statements in the pix that are not needed. But below is the config to allow icmp back into the network.
1. Check to see if you have a route to the outside world.
Show route
You should see something like ;
outside 0.0.0.0 0.0.0.0 10.1.10.254
Next paste the following config changes in.
config t
no global (inside) 1 interface
access-list outside permit icmp any any echo-reply
access-list outside permit icmp any any time-exceeded
access-list outside permit icmp any any unreachable
access-group outside in interface outside
exit
wr me
Next from the pix try to ping outside.
ping outside 216.109.112.135
From your PC ping 216.109.112.135
What works and doesn't work?
05-09-2007 11:44 AM
You won't get too far with this either..remove these.
access-list inside_access_in permit icmp 192.168.0.0 255.255.255.0 host 10.1.10.1 echo
access-group inside_access_in in interface inside
and what is the purpose of this, you should not need it.
static (inside,outside) 192.168.0.0 192.168.0.0 dns netmask 255.255.255.0 0 0
05-09-2007 11:51 AM
Thanks everyone - this solved the problem.
I appreciate your help.
Is there ia document that describes, in detail, the CLI commands, their syntax and what the various parameters mean? I'm just monkey-see-monkey-do at his point, and I really need to get a better understanding of what these commands do.
Thanks,
dpm
05-09-2007 11:59 AM
What fixed it?
Here's everything you ever wanted to know about PIX.
http://cisco.com/en/US/products/sw/secursw/ps2120/tsd_products_support_series_home.html
Command references have all cli commands. Also check out the configuration guides.
Please rate these if they help.
05-09-2007 12:11 PM
Here's what my final config looks like:
access-list inside_access_in permit icmp 192.168.0.0 255.255.255.0 host 10.1.10.1 echo
access-list outside_access_in permit icmp interface outside 192.168.0.0 255.255.255.0 echo-reply
access-list icmp1 permit icmp any any
global (outside) 2 interface
global (inside) 1 interface
nat (inside) 2 0.0.0.0 0.0.0.0 dns 0 0
access-group icmp1 in interface outside
Thanks,
dpm
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: