I'm learning how to configure a PIX 501. The boss said "you can do this right?", "I guess", I said and he said "good, please make it work".
Well I found an example:
that has most of what I need but I can only get small things to work.
Currently I have two hosts on the inside network, a linux workstation at IP 1.220 and a linux web server @ 1.4.
I have a Windows PC which I can use to test the connections on the inside network or the outside.
When the PC is on the inside at 1.66, I can get to the web server. I see in the server logs the request from the PC and the responses from the server and I see the page on my browser.
When I move the PC to the outside network @ 10.2.1.201, I see the PIX NAT the destination address of the web server from 10.1.1.3 to 192.168.1.4 as expected but the web server never gets the request.
I can ping the router at 10.1.1.1 and the PIX at 10.1.1.2 from the outside but no farther inside.
The only change I have made to the example was to enable all the ICMP traffic and change the telnet host to 1.220:
pixfirewall(config)# sho icmp
icmp permit any outside
icmp permit any inside
pixfirewall(config)# sho telnet
192.168.1.254 255.255.255.255 inside
192.168.1.220 255.255.255.255 inside
From the PIX logs:
Feb 20 10:01:25 192.168.1.1 %PIX-6-302013: Built inbound TCP connection 11 for outside:10.2.1.201/3897 (10.2.1.201/3897) to inside:192.168.1.4/80 (10.1.1.3/80)
Feb 20 10:03:26 192.168.1.1 %PIX-6-302014: Teardown TCP connection 11 for outside:10.2.1.201/3897 to inside:192.168.1.4/80 duration 0:02:01 bytes 0 SYN Timeout
So I have three questions:
1. Is anyone aware of a bug or typo in the example I used above?
2. Can someone direct me to a manual on how to configure the logging to show what is happening to my packets? NATs, routes used etc.
3. How can I turn my PIX into an expensive router, i.e. turn off all firewall stuff and let everything through from inside to outside and back?
Thanks in advance for any help,