Hi,

I’m trying to configure a basic PIX firewall configuration with No NAT. The problems are:

I can not ping from the inside network: 192.168.1.0/24 to the outside interface: 10.10.10.10 or the device on the outside network 10.10.10.0/24

I can not ping from the dmz network: 10.1.1.0/24 to the outside interface: 10.10.10.10 or the device on the outside network 10.10.10.0/24

The dmz network and inside network can ping each other just fine. Connections between dmz and inside work.

Please help me figure out what is wrong with my configuration. It looks like I can’t make a connection from higher security to lower security interface. I thought that by default the connections from inside to outside and dmz to outside are permitted.

Thanks,

Vu

Below is my sample:

Cisco PIX version 6.3(4)

nameif ethernet0 outside security0

nameif ehternet1 inside security100

nameif ethernet2 dmz security10

ip address outside 10.10.10.10 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip address dmz 10.1.1.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0 10.10.10.20

access-list NO_NAT permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list NO_NAT permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list NO_NAT_DMZ permit ip 10.1.1.0 255.255.255.0 10.10.10.0 255.255.255.0

nat (inside) 0 access-list NO_NAT

nat (dmz) 0 access-list NO_NAT_DMZ

access-list DMZ permit ip host 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list DMZ permit tcp any host 10.1.1.10 eq domain

access-list DMZ permit tcp any host 10.1.1.20 eq www

access-list OUTSIDE permit icmp any any

access-list OUTSIDE permit tcp any host 192.168.1.20 eq smtp

access-list OUTSIDE permit tcp any host 192.168.1.30 eq www

access-list OUTSIDE permit tcp any host 192.168.1.40 eq 3389

access-group DMZ in interface dmz

access-group OUTSIDE in interface outside