05-12-2009 11:28 AM
Hi all. I have my pix 515 giving out ip addresses in the range of 192.168.200.0/24.
We use windows pptp configuration. The pc clients connect fine and can communicate to internal servers. The problem is that they cannot communicate with each other. Ping tests fail and don't increment an access list.
Here are my existing access lists that reference the 192.168.200.0 subnet.
access-list nonat line 1 permit ip 192.168.200.0 255.255.255.0 192.168.200.0 255.255.255.0 (hitcnt=780)
access-list nonat line 2 permit ip 172.17.0.0 255.255.0.0 192.168.200.0 255.255.255.0 (hitcnt=936492)
access-list nonat line 3 permit ip 172.16.0.0 255.255.0.0 192.168.200.0 255.255.255.0 (hitcnt=1462)
access-list 80 line 1 permit ip 172.17.0.0 255.255.0.0 192.168.200.0 255.255.255.0 (hitcnt=0)
access-list 80 line 2 permit ip 172.16.0.0 255.255.0.0 192.168.200.0 255.255.255.0 (hitcnt=0)
access-list 200 line 53 permit ip 192.168.200.0 255.255.255.0 any (hitcnt=0)
access-list 200 line 54 permit tcp 192.168.200.0 255.255.255.0 any (hitcnt=0)
access-list 200 line 55 permit udp 192.168.200.0 255.255.255.0 any (hitcnt=0)
access-list 90 line 1 permit ip 172.17.0.0 255.255.0.0 192.168.200.0 255.255.255.0 (hitcnt=0)
The nonat access-list is applied on my private ip on the PIX.
05-12-2009 11:35 AM
Inbound ICMP through a PIX is denied by default, outbound ICMP is permitted, but the incoming reply is denied by default.
To workaround this (if you really want to) take a look at this article:
05-14-2009 06:38 AM
I can do without the ping. What about allowing the vpn group 192.168.200 to communicate with other subnets?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide