09-26-2010 01:21 PM - edited 03-11-2019 11:45 AM
I want to use this command to let outside access the inside. topology is simple. but I can't ping R1's interface 1.1.1.1 from R2.
anything wrong with the configure? thanks first.
Han
R1-----(inside)PIX(outside)----R2
=====================
pixfirewall# sh ru
: Saved
:
PIX Version 8.0(4)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0<=== connects to R2 the other side is 10.1.1.1
nameif outside
security-level 0
ip address 10.1.1.2 255.255.255.0
!
interface Ethernet1<=== connects to R1, the other side is 1.1.1.1
nameif inside
security-level 100
ip address 1.1.1.2 255.255.255.0
!
!
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (inside,outside) 10.1.1.100 1.1.1.1 netmask 255.255.255.255<==== Static
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
Solved! Go to Solution.
09-26-2010 03:59 PM
Hi Han,
In addition to the 'static' command, you also need to configure an access-list. For example:
access-list outside_access_in permit icmp host 10.1.1.1 host 1.1.1.1
access-group outside_access_in in interface outside
Hope that helps.
-Mike
09-26-2010 06:30 PM
R1 should have default route pointing to PIX inside interface (1.1.1.2)
09-26-2010 03:59 PM
Hi Han,
In addition to the 'static' command, you also need to configure an access-list. For example:
access-list outside_access_in permit icmp host 10.1.1.1 host 1.1.1.1
access-group outside_access_in in interface outside
Hope that helps.
-Mike
09-26-2010 05:11 PM
Hi,
You would need to configure the following ACL instead:
access-list outside_access_in permit icmp host 10.1.1.1 host 10.1.1.100
access-list outside_access_in in interface outside
Hope that helps.
09-26-2010 05:19 PM
I just added these two commands. I saw difference. R1 received the ping packets. but R2 shows not getting the replying. Do I need to configure anything from R1 to R2 direction?
thanks,
09-26-2010 05:28 PM
I didn't see the policy-map configuration on your current config.
Please kindly add the following:
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Hope that helps.
09-26-2010 06:25 PM
I did. But the same...
I found I can't ping from R1 to R2 as well and i think this might be the problem. Is there any routing I need to configure in firewall to make it happen?
regards,
Han
09-26-2010 06:30 PM
Shouldn't be any routing issue as it's directly connected to each other.
Please "clear xlate" and "clear arp" on the PIX, and also "clear arp" on both routers.
09-26-2010 06:30 PM
R1 should have default route pointing to PIX inside interface (1.1.1.2)
09-26-2010 06:45 PM
it was pointed to fa0/0 on R1 and I changed it to 1.1.1.2. it worked.
thanks,
09-26-2010 06:47 PM
Great... good to hear it works now.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: