×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Internet Access

Unanswered Question
Mar 24th, 2004
User Badges:

I ave a PIX 515E that I am trying to pass all of my LAN traffic to the Internet through. On the Outside of the PIX, I have 2 routers configured with HSRP and can ping with the PIX. On the inside of the PIX, I have 2 routers configured with HSRP, can ping withthe PIX, the PIX see's everything. Here lies my problem, I cannot see anything past the inside PIX addreess with my inside router, or any other peice of gear on the inside.


Here is my PIX config


: Saved

: Written by enable_15 at 23:27:22.897 UTC Wed Mar 24 2004

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4


hostname KCFire01

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name A.B.C.0 OutsideClassC


name A.B.C.2 OutsideRouter2

name A.B.C.13 HSRPGateway

name A.B.C.1 OutsideRouter1

access-list outside_cryptomap_20 remark Southport, CT Remote VPN Connection

access-list outside_cryptomap_20 permit ip interface outside host Southport

access-list inside_access_in permit ip 192.168.5.0 255.255.255.0 any

access-list inside_access_in permit ip any any

pager lines 24

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside A.B.C.3 255.255.255.240

ip address inside 192.168.5.247 255.255.255.0

no ip address intf2

ip audit info action alarm

ip audit attack action alarm

ip local pool vpn_client 192.168.3.201-192.168.3.230

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 192.168.3.0 255.255.255.0 0 0

nat (inside) 10 192.168.5.0 255.255.255.0 0 0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 A.B.C.3 1

route inside 192.168.0.0 255.255.0.0 192.168.5.247 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.3.20 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec


vpngroup AKDest address-pool vpn_client

vpngroup AKDest dns-server 192.168.3.2

vpngroup AKDest default-domain clink-clonk.com

vpngroup AKDest idle-time 1800

vpngroup AKDest password private

telnet 192.168.3.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

dhcprelay enable inside

dhcprelay setroute inside

terminal width 80

Cryptochecksum:ff2de0e5b7cc836f7f5bff9635dd216b

: end


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
nkhawaja Wed, 03/24/2004 - 22:35
User Badges:
  • Cisco Employee,

What happens if you are not using HSRP? is there any way you can bypass it?

SYSLOG may give more idea on what is wrong!

Config seems to be fine.


BTW ping is not allowd through access-list from outside, so cant test using ICMP.

Did you test with HTTP? Do you see any translations buildup?


Thanks

Nadeem

l.mourits Fri, 03/26/2004 - 02:56
User Badges:
  • Silver, 250 points or more

ICMP is not statefully inspected on the PIX, so ICMP response traffic is not allowed untill you allow this on the access-list bound to your outside interface.


Kind regards,

Leo

Actions

This Discussion