Hi Jon,

I am trying to follow:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

I am trying to allow all clients on the internal network to be able to ping / tracert any public IP address.

My clients are on a 10.1.2.x/8 range

Paul

Okay makes a bit more sense i think.

I'm assuing you are Natting all your inside hosts to 217.34.x.x ?

Do you have an access-list applied to your inside interface ?

Perhaps you could send whole config of pix minus any sensitive information.

Jon

Hi Jon,

Very new to PIX's so this is my working config for the network that I have managed to piece together:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

interface ethernet0 100full

interface ethernet1 100full

ip address outside 217.34.xxx.xxx 255.255.255.240

ip address inside 10.1.1.1 255.0.0.0

route outside 0.0.0.0 0.0.0.0 217.34.xxx.xxx 1

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

global (outside) 1 interface

static (inside,outside) tcp 217.34.xxx.xxx ftp 10.1.2.150 ftp

static (inside,outside) tcp 217.34.xxx.xxx http 10.1.1.3 http

static (inside,outside) tcp 217.34.xxx.xxx https 10.1.1.3 https

!--- Create an access list to allow pings out

access-list ping_acl permit icmp any host 217.34.xxx.xxx echo-reply

access-list ping_acl permit icmp any host 217.34.xxx.xxx time-exceeded

access-list ping_acl permit icmp any host 217.34.xxx.xxx unreachable

access-list inbound permit tcp any host 217.34.xxx.xxx eq ftp

access-list inbound permit tcp any host 217.34.xxx.xxx eq http

access-list inbound permit tcp any host 217.34.xxx.xxx eq https

access-group ping_acl in interface outside

access-group inbound in interface outside

no fixup protocol ftp 21

no fixup protocol dns

!--- Enable logging

logging on

logging trap 4

logging host 10.1.1.3

telnet 10.0.0.0 255.0.0.0 inside

telnet 192.168.50.0 255.255.255.0 inside

http server enable

http 10.0.0.0 255.0.0.0 inside

pdm history enable

!--- SSH for use with Putty

aaa authentication ssh console LOCAL

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

!--- Firewall details and passwords

hostname FIREWALL

domain-name C2.local

en pass xxxxxxxxx

pass xxxxxxxxxxx

ip local pool VPN_Pool 192.168.50.1-192.168.50.254

access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.50.0 255.255.255.0

nat (inside) 0 access-list 101

!--- For Cisco VPN Client

sysopt connection permit-ipsec

crypto ipsec transform-set VPN_Trans esp-aes-256 esp-md5-hmac

crypto dynamic-map VPN_Dyn 10 set transform-set VPN_Trans

crypto map VPN_Crypto 10 ipsec-isakmp dynamic VPN_Dyn

crypto map VPN_Crypto interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup C2_xxxxxxxx address-pool VPN_Pool

vpngroup C2_xxxxxxxx idle-time 1800

vpngroup C2_xxxxxxxx password xxxxxxxxxxxx

vpngroup C2_xxxxxxxx wins-server 10.1.1.3

vpngroup C2_xxxxxxxx dns-server 10.1.1.3

vpngroup C2_xxxxxxxx default-domain c2.local

isakmp nat-traversal 20

You learn something new every day:)

Thanks for that Jon works a treat, thought I was being tidy keeping them apart.

Paul

Glad to be of help and many thanks for using the rating system.

Jon