Solved: Re: PIX-506e: Help with NAT setup (newbie)

ddidpm506 · ‎05-08-2007

I've got the following scenario: internal LAN at 192.168.0.x, connected to inside port of 506e. Outside port connected to cable router (SMC 8014). Cable router supplies address to 506e (10.1.10.x).

I've specified address pools as PAT using the assigned port addresses, but I can't ping through the 506e (i.e., I can't ping to 10.1.10.1).

I'm probably just missing something obvious, but I'll be grateful for any advice. Config attached.

Thanks,

dpm

acomiskey · ‎05-09-2007

What fixed it?

Here's everything you ever wanted to know about PIX.

http://cisco.com/en/US/products/sw/secursw/ps2120/tsd_products_support_series_home.html

Command references have all cli commands. Also check out the configuration guides.

Please rate these if they help.

View solution in original post

Jon Marshall · ‎05-08-2007

Hi

Is 10.1.10.1 the ISP address ?.

Ping uses ICMP which is not stateful so you need to explicitly allow it back through your firewall.

Add this to you config

1) access-list outside_in permit icmp host 10.1.10.1 any (note you can change the any to a host from your internal network)

2) access-group outside_in in interface outside.

HTH

Jon

ddidpm506 · ‎05-08-2007

Jon,

No, the 8014 is a cable modem/router. It NATs from the internet address to 10.1.10.x (it gave the PIX 10.1.10.103).

I'm only using ping as an example. I don't think anything is routed through to the cable router. If I connect a PC directly to the cable router everything works fine. But I can't seem to get anything across the PIX.

Thanks,

Dean

cbz · ‎05-08-2007

What rules do you have on your inside interface?

ddidpm506 · ‎05-09-2007

I've attached my entire config.

Is there a document or website that gives a detailed explanation of all terminal commands and their syntax for the 506e?

Thanks,

dpm

cbz · ‎05-09-2007

You have some statements in the pix that are not needed. But below is the config to allow icmp back into the network.

1. Check to see if you have a route to the outside world.

Show route

You should see something like ;

outside 0.0.0.0 0.0.0.0 10.1.10.254

Next paste the following config changes in.

config t

no global (inside) 1 interface

access-list outside permit icmp any any echo-reply

access-list outside permit icmp any any time-exceeded

access-list outside permit icmp any any unreachable

access-group outside in interface outside

exit

wr me

Next from the pix try to ping outside.

ping outside 216.109.112.135

From your PC ping 216.109.112.135

What works and doesn't work?

acomiskey · ‎05-09-2007

You won't get too far with this either..remove these.

access-list inside_access_in permit icmp 192.168.0.0 255.255.255.0 host 10.1.10.1 echo

access-group inside_access_in in interface inside

and what is the purpose of this, you should not need it.

static (inside,outside) 192.168.0.0 192.168.0.0 dns netmask 255.255.255.0 0 0

ddidpm506 · ‎05-09-2007

Thanks everyone - this solved the problem.

I appreciate your help.

Is there ia document that describes, in detail, the CLI commands, their syntax and what the various parameters mean? I'm just monkey-see-monkey-do at his point, and I really need to get a better understanding of what these commands do.

Thanks,

dpm

acomiskey · ‎05-09-2007

What fixed it?

Here's everything you ever wanted to know about PIX.

http://cisco.com/en/US/products/sw/secursw/ps2120/tsd_products_support_series_home.html

Command references have all cli commands. Also check out the configuration guides.

Please rate these if they help.

ddidpm506 · ‎05-09-2007

Here's what my final config looks like:

access-list inside_access_in permit icmp 192.168.0.0 255.255.255.0 host 10.1.10.1 echo

access-list outside_access_in permit icmp interface outside 192.168.0.0 255.255.255.0 echo-reply

access-list icmp1 permit icmp any any

global (outside) 2 interface

global (inside) 1 interface

nat (inside) 2 0.0.0.0 0.0.0.0 dns 0 0

access-group icmp1 in interface outside

Thanks,

dpm