cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
421
Views
0
Helpful
4
Replies

PIX515E and simple LAN setup question

hiktadmin
Level 1
Level 1

Hello all,

I am trying to setup an Cisco PIX 515E.

Outside interface is connected to internet.

Inside interface is connected to inside private LAN.

I am able to use http traffic from inside LAN. However, I have problem with DNS and Ping.

I can not ping inside FW interface from LAN clients (this is also GW for LAN clients), because LAN address is NATed to outside interface address. ( I see this with debug icmp trace)

I can not ping outside addresses from LAN clients. When debugging icmp at FW, I can see ping request is received back to FW, but not from FW to client.

DNS is not working. DNS server is public IP address. It seems DNS querys is not passed through FW.

Basicly, I want to access internet through PIX FW. Can anyone give me some tips what to do here?

4 Replies 4

thisisshanky
Level 11
Level 11

I would like to take a look at your configs. You should be able to ping the inside interface of the pix (unless there is an acl on the inside interface that blocks ping). You cannot ping outside interface of Pix from inside segment. Paste your configs in next post.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

Its not the outside interface I want to ping, Its outside hosts on the internet I want to ping through outside interface.

Here is my current config:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security4

enable password encrypted

passwd encrypted

hostname fw

domain-name something.no

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group service Internet tcp

description Standard Internet trafikk

port-object eq www

port-object eq https

access-list inside_access_in remark Traffic out

access-list inside_access_in remark

access-list inside_access_in permit icmp 172.16.1.0 255.255.255.0 any

access-list inside_access_in remark icmp

access-list inside_access_in permit tcp any any

access-list inside_access_in remark Trafic out

pager lines 24

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside 194.xx.xx.34 255.255.255.248

ip address inside 172.16.1.1 255.255.255.0

ip address DMZ 194.xx.xx.41 255.255.255.248

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 200 interface

global (inside) 200 interface

nat (inside) 200 172.16.1.0 255.255.255.0 0 0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 194.xx.xx.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 172.16.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 172.16.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 172.16.1.200-172.16.1.210 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

First, icmp is not really consider stateful in the Cisco PIX, at least in 6.3 train anyway. And the interface of the PIX is by default not pingable.

Also, you can only ping the inside PIX interface from the inside network, you cannot ping the PIX outside interface from the inside network. Outside interface is pingable from outside network if you allow it.

Basically, to allow ping to the inside here is the command.

icmp permit any inside

It is not a preferable way to do it, I would typically do something below, assume 10.0.0.0/8 is the whole network behind the pix

icmp permit 10.0.0.0 255.0.0.0 inside

You can of course limit the type of icmp, common ones are echo, echo-reply, time-exceeded, source-quench, redirect, unreachable

The second mistake you made for browsing is that DNS request and reply uses UDP instead of TCP. DNS zone transfer uses TCP. So you would need to modify your inside ACL to permit UDP.

i.e

access-list inside_access_in remark permit udp traffic

access-list inside_access_in permit udp any any

If you just want to allow DNS lookup, just allow your DNS server instead of all the DNS client in the ACL. and limit the udp to port 53 for DNS.

If you want reply icmp you have to enable an ACL and apply to the outside interface.

i.e

access-list outside-acl permit icmp any any

You can place control of what type of icmp message you allow through by specifying the type in the above ACL.

excellent reply and well explain

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco