03-24-2004 10:39 AM - edited 03-09-2019 06:52 AM
I ave a PIX 515E that I am trying to pass all of my LAN traffic to the Internet through. On the Outside of the PIX, I have 2 routers configured with HSRP and can ping with the PIX. On the inside of the PIX, I have 2 routers configured with HSRP, can ping withthe PIX, the PIX see's everything. Here lies my problem, I cannot see anything past the inside PIX addreess with my inside router, or any other peice of gear on the inside.
Here is my PIX config
: Saved
: Written by enable_15 at 23:27:22.897 UTC Wed Mar 24 2004
PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
hostname KCFire01
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name A.B.C.0 OutsideClassC
name A.B.C.2 OutsideRouter2
name A.B.C.13 HSRPGateway
name A.B.C.1 OutsideRouter1
access-list outside_cryptomap_20 remark Southport, CT Remote VPN Connection
access-list outside_cryptomap_20 permit ip interface outside host Southport
access-list inside_access_in permit ip 192.168.5.0 255.255.255.0 any
access-list inside_access_in permit ip any any
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside A.B.C.3 255.255.255.240
ip address inside 192.168.5.247 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_client 192.168.3.201-192.168.3.230
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 192.168.3.0 255.255.255.0 0 0
nat (inside) 10 192.168.5.0 255.255.255.0 0 0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 A.B.C.3 1
route inside 192.168.0.0 255.255.0.0 192.168.5.247 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.3.20 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
vpngroup AKDest address-pool vpn_client
vpngroup AKDest dns-server 192.168.3.2
vpngroup AKDest default-domain clink-clonk.com
vpngroup AKDest idle-time 1800
vpngroup AKDest password private
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcprelay enable inside
dhcprelay setroute inside
terminal width 80
Cryptochecksum:ff2de0e5b7cc836f7f5bff9635dd216b
: end
03-24-2004 10:35 PM
What happens if you are not using HSRP? is there any way you can bypass it?
SYSLOG may give more idea on what is wrong!
Config seems to be fine.
BTW ping is not allowd through access-list from outside, so cant test using ICMP.
Did you test with HTTP? Do you see any translations buildup?
Thanks
Nadeem
03-26-2004 02:56 AM
ICMP is not statefully inspected on the PIX, so ICMP response traffic is not allowed untill you allow this on the access-list bound to your outside interface.
Kind regards,
Leo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide