Solved: Re: Static command on PIX

hanwucisco · ‎09-26-2010

I want to use this command to let outside access the inside. topology is simple. but I can't ping R1's interface 1.1.1.1 from R2.

anything wrong with the configure? thanks first.

Han

R1-----(inside)PIX(outside)----R2

=====================

pixfirewall# sh ru
: Saved
:
PIX Version 8.0(4)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0<=== connects to R2 the other side is 10.1.1.1
nameif outside
security-level 0
ip address 10.1.1.2 255.255.255.0
!
interface Ethernet1<=== connects to R1, the other side is 1.1.1.1
nameif inside
security-level 100
ip address 1.1.1.2 255.255.255.0
!
!
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (inside,outside) 10.1.1.100 1.1.1.1 netmask 255.255.255.255<==== Static
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end

mirober2 · ‎09-26-2010

Hi Han,

In addition to the 'static' command, you also need to configure an access-list. For example:

access-list outside_access_in permit icmp host 10.1.1.1 host 1.1.1.1

access-group outside_access_in in interface outside

Hope that helps.

-Mike

View solution in original post

Jennifer Halim · ‎09-26-2010

R1 should have default route pointing to PIX inside interface (1.1.1.2)

View solution in original post

mirober2 · ‎09-26-2010

Hi Han,

In addition to the 'static' command, you also need to configure an access-list. For example:

access-list outside_access_in permit icmp host 10.1.1.1 host 1.1.1.1

access-group outside_access_in in interface outside

Hope that helps.

-Mike

Jennifer Halim · ‎09-26-2010

Hi,

You would need to configure the following ACL instead:

access-list outside_access_in permit icmp host 10.1.1.1 host 10.1.1.100

access-list outside_access_in in interface outside

Hope that helps.

hanwucisco · ‎09-26-2010

I just added these two commands. I saw difference. R1 received the ping packets. but R2 shows not getting the replying. Do I need to configure anything from R1 to R2 direction?

thanks,

Jennifer Halim · ‎09-26-2010

I didn't see the policy-map configuration on your current config.

Please kindly add the following:


policy-map global_policy

class inspection_default

          inspect icmp
service-policy global_policy global 

Hope that helps.

hanwucisco · ‎09-26-2010

I did. But the same...

I found I can't ping from R1 to R2 as well and i think this might be the problem. Is there any routing I need to configure in firewall to make it happen?

regards,

Han

Jennifer Halim · ‎09-26-2010

Shouldn't be any routing issue as it's directly connected to each other.

Please "clear xlate" and "clear arp" on the PIX, and also "clear arp" on both routers.

Jennifer Halim · ‎09-26-2010

R1 should have default route pointing to PIX inside interface (1.1.1.2)

hanwucisco · ‎09-26-2010

it was pointed to fa0/0 on R1 and I changed it to 1.1.1.2. it worked.

thanks,

Jennifer Halim · ‎09-26-2010

Great... good to hear it works now.