OK, here's some more of the problem - since I can't ping my external interface, can I ping another address on the same network as that interface? My understanding is that there's no communication from a lower-security interface to a higher-security interface, but isn't internet communication almost always two-way? That's what ACL's are for, isn't it? So could I set up an ACL to allow an ICMP packet through the 506e, or is it ICMP specifically that's not allowed through?

Thanks,

JP

Now I have the second PIX set up identical to the first one, but that's not quite right. I want to have a web server inside pix2, able to be accessed by a client on the inside interface of pix1. The outside interfaces of pix1 and pix2 are on the same network, connected through a hub. As I have said before in this post, I can now ping from inside pix1 to the outside of pix2. I have tried to follow directions to set up a static, an access-list, and an access-group to allow access to a web server inside pix2 but I can't access it either from a host on the 200.1.1.0 network (the outside interface network) or from a host on the inside network of pix1. I've pasted my current configs (which are different than the configs from before) and I wonder if anyone has suggestions.

Thanks.

JP

--------------------------

pixfirewall2(config)# sho run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx encrypted

passwd xxx encrypted

hostname pixfirewall2

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inbound permit tcp any host 192.168.2.1 eq www

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 200.1.1.2 255.255.255.0

ip address inside 192.168.2.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www 192.168.2.1 www netmask 255.255.255.255 0 0

access-group inbound in interface outside

access-group inbound in interface inside

route outside 0.0.0.0 0.0.0.0 200.1.1.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.2.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

username administrator password xxx encrypted privilege 15

terminal width 80

Cryptochecksum:xxx

: end

-------------------

While I'm at it, if anyone sees anything in my configs that should be removed, I'm accepting comments. Thanks.