Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Configure PIX515e with No NAT

Hi,

I’m trying to configure a basic PIX firewall configuration with No NAT. The problems are:

I can not ping from the inside network: 192.168.1.0/24 to the outside interface: 10.10.10.10 or the device on the outside network 10.10.10.0/24

I can not ping from the dmz network: 10.1.1.0/24 to the outside interface: 10.10.10.10 or the device on the outside network 10.10.10.0/24

The dmz network and inside network can ping each other just fine. Connections between dmz and inside work.

Please help me figure out what is wrong with my configuration. It looks like I can’t make a connection from higher security to lower security interface. I thought that by default the connections from inside to outside and dmz to outside are permitted.

Thanks,

Vu

Below is my sample:

Cisco PIX version 6.3(4)

nameif ethernet0 outside security0

nameif ehternet1 inside security100

nameif ethernet2 dmz security10

ip address outside 10.10.10.10 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip address dmz 10.1.1.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0 10.10.10.20

access-list NO_NAT permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list NO_NAT permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list NO_NAT_DMZ permit ip 10.1.1.0 255.255.255.0 10.10.10.0 255.255.255.0

nat (inside) 0 access-list NO_NAT

nat (dmz) 0 access-list NO_NAT_DMZ

access-list DMZ permit ip host 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list DMZ permit tcp any host 10.1.1.10 eq domain

access-list DMZ permit tcp any host 10.1.1.20 eq www

access-list OUTSIDE permit icmp any any

access-list OUTSIDE permit tcp any host 192.168.1.20 eq smtp

access-list OUTSIDE permit tcp any host 192.168.1.30 eq www

access-list OUTSIDE permit tcp any host 192.168.1.40 eq 3389

access-group DMZ in interface dmz

access-group OUTSIDE in interface outside

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Configure PIX515e with No NAT

First off, you shouldn't be able to ping 10.10.10.10 from the inside as it belongs to another interface on the ASA, and the way that the ASA works doesn't allow pings to any interface you are not behind.

So lets go ahead and start off with some captures.

access-list capture permit icmp any host <10.10.10.X>

access-list capture permit icmp host <10.10.10.X> any

capture capout access-list capture interface outside

capture capin access-list capture interface inside

Then get the contents of

show run access-list capture

show cap capin

show cap capout

2 REPLIES
New Member

Re: Configure PIX515e with No NAT

First off, you shouldn't be able to ping 10.10.10.10 from the inside as it belongs to another interface on the ASA, and the way that the ASA works doesn't allow pings to any interface you are not behind.

So lets go ahead and start off with some captures.

access-list capture permit icmp any host <10.10.10.X>

access-list capture permit icmp host <10.10.10.X> any

capture capout access-list capture interface outside

capture capin access-list capture interface inside

Then get the contents of

show run access-list capture

show cap capin

show cap capout

New Member

Re: Configure PIX515e with No NAT

Hi August,

Thanks for the advice. I got it.

Vu

389
Views
0
Helpful
2
Replies
CreatePlease to create content