cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1150
Views
38
Helpful
29
Replies

PIX 501 Help....asap.

homeboarder8
Level 1
Level 1

Ok so here is my config...

ip address outside 78.xxx.xxx.16 255.255.255.248

ip address inside 10.xxx.xxx.81 255.0.0.0

route outside 0.0.0.0 0.0.0.0 78.xxx.xxx.18

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list inbound permit icmp any any

access-list inbound permit tcp any host 78.xxx.xxx.15 eq www

access-list inbound permit tcp any host 78.xxx.xxx.15 eq 53

access-list inbound permit udp any host 78.xxx.xxx.15 eq 53

access-group inbound in interface outside

static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0

access-list inbound permit icmp any any

access-list inbound permit tcp any host 78.xxx.xxx.14 eq www

access-group inbound in interface outside

static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.15 netmask 255.255.255.255 0 0

Basically I have 2 servers running behind my PIX with the external IP addresses of 78.xxx.xxx.15 and 78.xxx.xxx.14. I can ping the inside interfaces but I can not ping the outside interface of the PIX, let alone the gateway which is at 78.xxx.xxx.18. I need to have this up and running ASAP, so any suggestions would be great!

Thanks!

29 Replies 29

srue
Level 7
Level 7

you can't ping the outside interface from the inside, and vice versa...

you need to add the following to permit icmp replies from the gw....

access-list inbound permit icmp any any echo-reply

or

access-list inbound permit icmp host 78.x.x.18 any echo-reply

you get the idea...

Thanks for the repay srue. I guess I should have elaborated a little further... I am not even able to access the internet, that is my main goal. Any advice?

Can you ping the gateway from the pix?

shahkamrah
Level 1
Level 1

What is understand for the problem it seems like you are trying the ping the outside interface from the inside,If i am understanding correctly ..

By design you will not be able to ping the outside interface ..and if you are trying to ping the outside interface from the outside world then please check if its getting denied by ICMP command ..

show ICMP

Let us know if you are able to ping the gateway ip address and also let me know if you are trying to access internet from these 2 servers only..But if you are trying to access from other workstations then you need the make the use of nat and global command..

nat (inside) 1 0 0

global (outside) 1 interface

mightymouse2045
Level 1
Level 1

Please post the full config of your firewall then we can help easily

Cheers,

MM

P.S. Don't forget to rate replies ;)

Here is the running config of the pix...

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list inbound permit icmp any any

access-list inbound permit tcp any host 78.xxx.xxx.15 eq www

access-list inbound permit tcp any host 78.xxx.xxx.15 eq domain

access-list inbound permit udp any host 78.xxx.xxx.15 eq domain

access-list inbound permit tcp any host 78.xxx.xxx.15 eq pptp

access-list inbound permit tcp any host 78.xxx.xxx.14 eq pptp

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 78.xxx.xxx.16 255.255.255.248

ip address inside 10.xxx.xxx.81 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 78.xxx.xxx.15

global (outside) 2 78.xxx.xxx.14

nat (inside) 1 10.xxx.xxx.83 255.255.255.255 0 0

nat (inside) 2 10.xxx.xxx.85 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.85 netmask 255.255.255.255 0 0

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 78.xxx.xxx.18 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

: end

It is just the two servers accessing the internet, and yes I found that I can ping the gateway. I'm still stumped with this whole thing so keep the help come'n guys...

Thanks!

ok you don't do a global and then a static nat that way. All you need to define is a global for the other clients behind the gateway to the interface of your PIX, and then statics for the servers. changes as follows:

Remove these:

global (outside) 1 78.xxx.xxx.15

global (outside) 2 78.xxx.xxx.14

nat (inside) 1 10.xxx.xxx.83 255.255.255.255 0 0

nat (inside) 2 10.xxx.xxx.85 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.85 netmask 255.255.255.255 0 0

Add this:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 255.0.0.0 0 0

static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.85 netmask 255.255.255.255 0 0

also create an access list for outbound access and put deny ip any any log at the end of boths lists for monitoring purposes etc

Cheers,

MM

sorry that nat (inside) command should read:

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

mightymouse2045, thanks for the quick responce.

Okay so I changed the config, but now I'm beginning to think I have something with the internal IP addresses wrong. I should have been more clear about what I said before... I can ping the gateway from the PIX, but not from the server. I'm thinking it has something to do with the netmask, my internal is 255.0.0.0 and my external is 255.255.255.248. Although I thought that nat was soposto take care of that?

Thanks!

If this helps clarify things:

Gateway - 78.xxx.xxx.18

PIX internal - 10.xxx.xxx.81

PIX external - 78.xxx.xxx.16

Server 1 internal - 10.xxx.xxx.83

Server 2 internal - 10.xxx.xxx.85

Server 1 external - 78.xxx.xxx.15

Server 2 external - 78.xxx.xxx.14

Thanks!

by default pings are not allowed through PIX's so you have to enable that by adding in the permit ICMP into your access lists:

So add this into your inbound\outbound access lists:

access-list name permit icmp any any

Once you've added these in try and ping and let me know how you go. Also to restrict the ping on the outside interface you should only really add in specific ping responses like echo-reply, time-out etc do a help on the command for possible responses

Okay I just added those access-lists and I and still not able to ping the gateway. But this time I do get a 'Request timed out' as a responce...

ok can you try pinging www.google.com and see if you can resolve it and ping it - if yes then you know your working.

If not I'll have another browse through your config - can you post the updated config again too

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: