06-10-2007 04:28 AM - edited 02-21-2020 01:33 AM
My problem is that the Inside and outside network defined are working fine but independently, Although from the PIX console there is response from either side but there is no response to a machine on the inside network from outside. Please someone help in this regard. an erly response is anticipated.
the existing config goes like this:-
: Saved
:
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network inside
network-object 192.168.2.0 255.255.255.0
object-group network in
network-object 192.168.2.1 255.255.255.255
object-group network out
network-object 192.168.1.0 255.255.255.0
access-list inside_access_in permit tcp interface inside interface outside
access-list acl_outbound permit ip any any
access-list acl_outbound permit tcp any any
access-list outside permit icmp any any
access-list outside permit ip any any
access-list inside permit icmp any any
access-list inside permit ip any any
access-list outbound permit tcp any host 192.168.2.1
access-list outbound permit icmp any host 192.168.2.1
access-list inbound permit tcp any host 192.168.2.1 eq www
pager lines 40
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.2 255.255.255.0 ip address inside 192.168.2.1 255.255.255.0 ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.2.0 255.255.255.0 inside
pdm group inside inside
pdm group in inside
pdm group out outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
global (inside) 50 192.x.2.10-192.168.2.45 netmask 255.255.255.0
nat (inside) 50 192.x.2.0 255.255.255.0 0 0
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.2.1 192.168.2.1 netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 192.168.2.1 255.255.255.255 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt noproxyarp outside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.10-192.168.2.40 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:xxxx
: end
2.x is the internal network and 1.x is hte outside network
06-10-2007 07:51 AM
"there is no response to a machine on the inside network from outside."
Well I dont see it on the config but if you have not changed it the outisde interface by default is has security of 0 and inside has 100
That means thanks to the ASA (adaptive Security Algorithm) any interface with a high security level can communicate with a low security level but not the other way around.
Right now there will be no response because you are doing only nat.
To get a inside machine to respond requests from outside you need to create a static translation.
ex:
static (inside,outside) tcp 10.0.0.1 ftp-data 192.168.2.1 ftp-data netmask 255.255.255.255
This static command will allow any ftp-data request made on outside interface 10.0.0.1 to be forward to interface inside ip 192.168.2.1 port 20
Also keep in mind to add an access-list for that to happen because the outside interface does not accept any thing from out side.
In the case you want to open the outside to receive request for the static above you do
ex:
access-list OUTSIDE_TO_INSIDE extended permit tcp any interface outside eq ftp-data
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide