Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Static command on PIX

I want to use this command to let outside access the inside. topology is simple. but I can't ping R1's interface 1.1.1.1 from R2.

anything wrong with the configure? thanks first.

Han

R1-----(inside)PIX(outside)----R2

=====================

pixfirewall# sh ru
: Saved
:
PIX Version 8.0(4)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0<=== connects to R2 the other side is 10.1.1.1
nameif outside
security-level 0
ip address 10.1.1.2 255.255.255.0
!
interface Ethernet1<=== connects to R1, the other side is 1.1.1.1
nameif inside
security-level 100
ip address 1.1.1.2 255.255.255.0
!
!
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (inside,outside) 10.1.1.100 1.1.1.1 netmask 255.255.255.255<==== Static
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Static command on PIX

Hi Han,

In addition to the 'static' command, you also need to configure an access-list. For example:

access-list outside_access_in permit icmp host 10.1.1.1 host 1.1.1.1

access-group outside_access_in in interface outside

Hope that helps.

-Mike

Cisco Employee

Re: Static command on PIX

R1 should have default route pointing to PIX inside interface (1.1.1.2)

9 REPLIES
Cisco Employee

Re: Static command on PIX

Hi Han,

In addition to the 'static' command, you also need to configure an access-list. For example:

access-list outside_access_in permit icmp host 10.1.1.1 host 1.1.1.1

access-group outside_access_in in interface outside

Hope that helps.

-Mike

Cisco Employee

Re: Static command on PIX

Hi,

You would need to configure the following ACL instead:

access-list outside_access_in permit icmp host 10.1.1.1 host 10.1.1.100

access-list outside_access_in in interface outside

Hope that helps.

Community Member

Re: Static command on PIX

I just added these two commands. I saw difference. R1 received the ping packets. but R2 shows not getting the replying. Do I need to configure anything from R1 to R2 direction?

thanks,

Cisco Employee

Re: Static command on PIX

I didn't see the policy-map configuration on your current config.

Please kindly add the following:


policy-map global_policy

     class inspection_default

          inspect icmp
service-policy global_policy global


Hope that helps.
Community Member

Re: Static command on PIX

I did. But the same...

I found I can't ping from R1 to R2 as well and i think this might be the problem. Is there any routing I need to configure in firewall to make it happen?

regards,

Han

Cisco Employee

Re: Static command on PIX

Shouldn't be any routing issue as it's directly connected to each other.

Please "clear xlate" and "clear arp" on the PIX, and also "clear arp" on both routers.

Cisco Employee

Re: Static command on PIX

R1 should have default route pointing to PIX inside interface (1.1.1.2)

Community Member

Re: Static command on PIX

it was pointed to fa0/0 on R1 and I changed it to 1.1.1.2. it worked.

thanks,

Cisco Employee

Re: Static command on PIX

Great... good to hear it works now.

241
Views
0
Helpful
9
Replies
CreatePlease to create content