10-26-2005 05:44 AM - edited 03-05-2019 11:40 AM
Hello all,
I am trying to setup an Cisco PIX 515E.
Outside interface is connected to internet.
Inside interface is connected to inside private LAN.
I am able to use http traffic from inside LAN. However, I have problem with DNS and Ping.
I can not ping inside FW interface from LAN clients (this is also GW for LAN clients), because LAN address is NATed to outside interface address. ( I see this with debug icmp trace)
I can not ping outside addresses from LAN clients. When debugging icmp at FW, I can see ping request is received back to FW, but not from FW to client.
DNS is not working. DNS server is public IP address. It seems DNS querys is not passed through FW.
Basicly, I want to access internet through PIX FW. Can anyone give me some tips what to do here?
10-26-2005 07:16 AM
I would like to take a look at your configs. You should be able to ping the inside interface of the pix (unless there is an acl on the inside interface that blocks ping). You cannot ping outside interface of Pix from inside segment. Paste your configs in next post.
10-26-2005 10:22 PM
Its not the outside interface I want to ping, Its outside hosts on the internet I want to ping through outside interface.
Here is my current config:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
enable password
passwd
hostname fw
domain-name something.no
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service Internet tcp
description Standard Internet trafikk
port-object eq www
port-object eq https
access-list inside_access_in remark Traffic out
access-list inside_access_in remark
access-list inside_access_in permit icmp 172.16.1.0 255.255.255.0 any
access-list inside_access_in remark icmp
access-list inside_access_in permit tcp any any
access-list inside_access_in remark Trafic out
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 194.xx.xx.34 255.255.255.248
ip address inside 172.16.1.1 255.255.255.0
ip address DMZ 194.xx.xx.41 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 200 interface
global (inside) 200 interface
nat (inside) 200 172.16.1.0 255.255.255.0 0 0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 194.xx.xx.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 172.16.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.16.1.200-172.16.1.210 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
10-27-2005 11:20 AM
First, icmp is not really consider stateful in the Cisco PIX, at least in 6.3 train anyway. And the interface of the PIX is by default not pingable.
Also, you can only ping the inside PIX interface from the inside network, you cannot ping the PIX outside interface from the inside network. Outside interface is pingable from outside network if you allow it.
Basically, to allow ping to the inside here is the command.
icmp permit any inside
It is not a preferable way to do it, I would typically do something below, assume 10.0.0.0/8 is the whole network behind the pix
icmp permit 10.0.0.0 255.0.0.0 inside
You can of course limit the type of icmp, common ones are echo, echo-reply, time-exceeded, source-quench, redirect, unreachable
The second mistake you made for browsing is that DNS request and reply uses UDP instead of TCP. DNS zone transfer uses TCP. So you would need to modify your inside ACL to permit UDP.
i.e
access-list inside_access_in remark permit udp traffic
access-list inside_access_in permit udp any any
If you just want to allow DNS lookup, just allow your DNS server instead of all the DNS client in the ACL. and limit the udp to port 53 for DNS.
If you want reply icmp you have to enable an ACL and apply to the outside interface.
i.e
access-list outside-acl permit icmp any any
You can place control of what type of icmp message you allow through by specifying the type in the above ACL.
04-17-2006 09:43 PM
excellent reply and well explain
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: