08-06-2007 04:11 PM - edited 03-11-2019 03:54 AM
Ok so here is my config...
ip address outside 78.xxx.xxx.16 255.255.255.248
ip address inside 10.xxx.xxx.81 255.0.0.0
route outside 0.0.0.0 0.0.0.0 78.xxx.xxx.18
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list inbound permit icmp any any
access-list inbound permit tcp any host 78.xxx.xxx.15 eq www
access-list inbound permit tcp any host 78.xxx.xxx.15 eq 53
access-list inbound permit udp any host 78.xxx.xxx.15 eq 53
access-group inbound in interface outside
static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0
access-list inbound permit icmp any any
access-list inbound permit tcp any host 78.xxx.xxx.14 eq www
access-group inbound in interface outside
static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.15 netmask 255.255.255.255 0 0
Basically I have 2 servers running behind my PIX with the external IP addresses of 78.xxx.xxx.15 and 78.xxx.xxx.14. I can ping the inside interfaces but I can not ping the outside interface of the PIX, let alone the gateway which is at 78.xxx.xxx.18. I need to have this up and running ASAP, so any suggestions would be great!
Thanks!
08-06-2007 07:09 PM
you can't ping the outside interface from the inside, and vice versa...
you need to add the following to permit icmp replies from the gw....
access-list inbound permit icmp any any echo-reply
or
access-list inbound permit icmp host 78.x.x.18 any echo-reply
you get the idea...
08-07-2007 08:37 AM
Thanks for the repay srue. I guess I should have elaborated a little further... I am not even able to access the internet, that is my main goal. Any advice?
08-07-2007 09:07 AM
Can you ping the gateway from the pix?
08-07-2007 09:23 AM
What is understand for the problem it seems like you are trying the ping the outside interface from the inside,If i am understanding correctly ..
By design you will not be able to ping the outside interface ..and if you are trying to ping the outside interface from the outside world then please check if its getting denied by ICMP command ..
show ICMP
08-07-2007 09:27 AM
Let us know if you are able to ping the gateway ip address and also let me know if you are trying to access internet from these 2 servers only..But if you are trying to access from other workstations then you need the make the use of nat and global command..
nat (inside) 1 0 0
global (outside) 1 interface
08-07-2007 09:35 AM
Please post the full config of your firewall then we can help easily
Cheers,
MM
P.S. Don't forget to rate replies ;)
08-07-2007 01:47 PM
Here is the running config of the pix...
PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inbound permit icmp any any
access-list inbound permit tcp any host 78.xxx.xxx.15 eq www
access-list inbound permit tcp any host 78.xxx.xxx.15 eq domain
access-list inbound permit udp any host 78.xxx.xxx.15 eq domain
access-list inbound permit tcp any host 78.xxx.xxx.15 eq pptp
access-list inbound permit tcp any host 78.xxx.xxx.14 eq pptp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 78.xxx.xxx.16 255.255.255.248
ip address inside 10.xxx.xxx.81 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 78.xxx.xxx.15
global (outside) 2 78.xxx.xxx.14
nat (inside) 1 10.xxx.xxx.83 255.255.255.255 0 0
nat (inside) 2 10.xxx.xxx.85 255.255.255.255 0 0
static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0
static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.85 netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 78.xxx.xxx.18 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
It is just the two servers accessing the internet, and yes I found that I can ping the gateway. I'm still stumped with this whole thing so keep the help come'n guys...
Thanks!
08-07-2007 02:03 PM
ok you don't do a global and then a static nat that way. All you need to define is a global for the other clients behind the gateway to the interface of your PIX, and then statics for the servers. changes as follows:
Remove these:
global (outside) 1 78.xxx.xxx.15
global (outside) 2 78.xxx.xxx.14
nat (inside) 1 10.xxx.xxx.83 255.255.255.255 0 0
nat (inside) 2 10.xxx.xxx.85 255.255.255.255 0 0
static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0
static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.85 netmask 255.255.255.255 0 0
Add this:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 255.0.0.0 0 0
static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0
static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.85 netmask 255.255.255.255 0 0
also create an access list for outbound access and put deny ip any any log at the end of boths lists for monitoring purposes etc
Cheers,
MM
08-07-2007 02:04 PM
sorry that nat (inside) command should read:
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
08-07-2007 02:17 PM
mightymouse2045, thanks for the quick responce.
Okay so I changed the config, but now I'm beginning to think I have something with the internal IP addresses wrong. I should have been more clear about what I said before... I can ping the gateway from the PIX, but not from the server. I'm thinking it has something to do with the netmask, my internal is 255.0.0.0 and my external is 255.255.255.248. Although I thought that nat was soposto take care of that?
Thanks!
08-07-2007 02:25 PM
If this helps clarify things:
Gateway - 78.xxx.xxx.18
PIX internal - 10.xxx.xxx.81
PIX external - 78.xxx.xxx.16
Server 1 internal - 10.xxx.xxx.83
Server 2 internal - 10.xxx.xxx.85
Server 1 external - 78.xxx.xxx.15
Server 2 external - 78.xxx.xxx.14
Thanks!
08-07-2007 02:31 PM
by default pings are not allowed through PIX's so you have to enable that by adding in the permit ICMP into your access lists:
So add this into your inbound\outbound access lists:
access-list name permit icmp any any
Once you've added these in try and ping and let me know how you go. Also to restrict the ping on the outside interface you should only really add in specific ping responses like echo-reply, time-out etc do a help on the command for possible responses
08-07-2007 02:34 PM
Okay I just added those access-lists and I and still not able to ping the gateway. But this time I do get a 'Request timed out' as a responce...
08-07-2007 02:37 PM
ok can you try pinging www.google.com and see if you can resolve it and ping it - if yes then you know your working.
If not I'll have another browse through your config - can you post the updated config again too
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: