Configure PIX515e with No NAT

Answered Question
Jul 26th, 2010
User Badges:

Hi,

I’m trying to configure a basic PIX firewall configuration with No NAT. The problems are:

I can not ping from the inside network: 192.168.1.0/24 to the outside interface: 10.10.10.10 or the device on the outside network 10.10.10.0/24

I can not ping from the dmz network: 10.1.1.0/24 to the outside interface: 10.10.10.10 or the device on the outside network 10.10.10.0/24

The dmz network and inside network can ping each other just fine. Connections between dmz and inside work.

Please help me figure out what is wrong with my configuration. It looks like I can’t make a connection from higher security to lower security interface. I thought that by default the connections from inside to outside and dmz to outside are permitted.

Thanks,

Vu

Below is my sample:

Cisco PIX version 6.3(4)

nameif ethernet0 outside security0

nameif ehternet1 inside security100

nameif ethernet2 dmz security10

ip address outside 10.10.10.10 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip address dmz 10.1.1.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0 10.10.10.20

access-list NO_NAT permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list NO_NAT permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list NO_NAT_DMZ permit ip 10.1.1.0 255.255.255.0 10.10.10.0 255.255.255.0

nat (inside) 0 access-list NO_NAT

nat (dmz) 0 access-list NO_NAT_DMZ

access-list DMZ permit ip host 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list DMZ permit tcp any host 10.1.1.10 eq domain

access-list DMZ permit tcp any host 10.1.1.20 eq www

access-list OUTSIDE permit icmp any any

access-list OUTSIDE permit tcp any host 192.168.1.20 eq smtp

access-list OUTSIDE permit tcp any host 192.168.1.30 eq www

access-list OUTSIDE permit tcp any host 192.168.1.40 eq 3389

access-group DMZ in interface dmz

access-group OUTSIDE in interface outside

Correct Answer by August Ritchie about 7 years 15 hours ago

First off, you shouldn't be able to ping 10.10.10.10 from the inside as it belongs to another interface on the ASA, and the way that the ASA works doesn't allow pings to any interface you are not behind.


So lets go ahead and start off with some captures.


access-list capture permit icmp any host <10.10.10.X>

access-list capture permit icmp host <10.10.10.X> any


capture capout access-list capture interface outside

capture capin access-list capture interface inside


Then get the contents of

show run access-list capture

show cap capin

show cap capout

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
August Ritchie Mon, 07/26/2010 - 08:01
User Badges:
  • Bronze, 100 points or more

First off, you shouldn't be able to ping 10.10.10.10 from the inside as it belongs to another interface on the ASA, and the way that the ASA works doesn't allow pings to any interface you are not behind.


So lets go ahead and start off with some captures.


access-list capture permit icmp any host <10.10.10.X>

access-list capture permit icmp host <10.10.10.X> any


capture capout access-list capture interface outside

capture capin access-list capture interface inside


Then get the contents of

show run access-list capture

show cap capin

show cap capout

Actions

This Discussion

Related Content