PIX 501 interconnectivity

Unanswered Question
Jun 10th, 2007

My problem is that the Inside and outside network defined are working fine but independently, Although from the PIX console there is response from either side but there is no response to a machine on the inside network from outside. Please someone help in this regard. an erly response is anticipated.

the existing config goes like this:-

: Saved

:

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group network inside

network-object 192.168.2.0 255.255.255.0

object-group network in

network-object 192.168.2.1 255.255.255.255

object-group network out

network-object 192.168.1.0 255.255.255.0

access-list inside_access_in permit tcp interface inside interface outside

access-list acl_outbound permit ip any any

access-list acl_outbound permit tcp any any

access-list outside permit icmp any any

access-list outside permit ip any any

access-list inside permit icmp any any

access-list inside permit ip any any

access-list outbound permit tcp any host 192.168.2.1

access-list outbound permit icmp any host 192.168.2.1

access-list inbound permit tcp any host 192.168.2.1 eq www

pager lines 40

mtu outside 1500

mtu inside 1500

ip address outside 192.168.1.2 255.255.255.0 ip address inside 192.168.2.1 255.255.255.0 ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.2.0 255.255.255.0 inside

pdm group inside inside

pdm group in inside

pdm group out outside

pdm history enable

arp timeout 14400

global (outside) 10 interface

global (inside) 50 192.x.2.10-192.168.2.45 netmask 255.255.255.0

nat (inside) 50 192.x.2.0 255.255.255.0 0 0

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 192.168.2.1 192.168.2.1 netmask 255.255.255.255 0 0

access-group outside in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

route inside 192.168.2.1 255.255.255.255 192.168.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt noproxyarp outside

telnet 192.168.2.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.2.10-192.168.2.40 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxx

: end

2.x is the internal network and 1.x is hte outside network

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Rodrigo Gurriti Sun, 06/10/2007 - 07:51

"there is no response to a machine on the inside network from outside."

Well I dont see it on the config but if you have not changed it the outisde interface by default is has security of 0 and inside has 100

That means thanks to the ASA (adaptive Security Algorithm) any interface with a high security level can communicate with a low security level but not the other way around.

Right now there will be no response because you are doing only nat.

To get a inside machine to respond requests from outside you need to create a static translation.

ex:

static (inside,outside) tcp 10.0.0.1 ftp-data 192.168.2.1 ftp-data netmask 255.255.255.255

This static command will allow any ftp-data request made on outside interface 10.0.0.1 to be forward to interface inside ip 192.168.2.1 port 20

Also keep in mind to add an access-list for that to happen because the outside interface does not accept any thing from out side.

In the case you want to open the outside to receive request for the static above you do

ex:

access-list OUTSIDE_TO_INSIDE extended permit tcp any interface outside eq ftp-data

Actions

This Discussion