Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX-506e: Help with NAT setup (newbie)

I've got the following scenario: internal LAN at 192.168.0.x, connected to inside port of 506e. Outside port connected to cable router (SMC 8014). Cable router supplies address to 506e (10.1.10.x).

I've specified address pools as PAT using the assigned port addresses, but I can't ping through the 506e (i.e., I can't ping to 10.1.10.1).

I'm probably just missing something obvious, but I'll be grateful for any advice. Config attached.

Thanks,

dpm

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: PIX-506e: Help with NAT setup (newbie)

What fixed it?

Here's everything you ever wanted to know about PIX.

http://cisco.com/en/US/products/sw/secursw/ps2120/tsd_products_support_series_home.html

Command references have all cli commands. Also check out the configuration guides.

Please rate these if they help.

9 REPLIES
Hall of Fame Super Blue

Re: PIX-506e: Help with NAT setup (newbie)

Hi

Is 10.1.10.1 the ISP address ?.

Ping uses ICMP which is not stateful so you need to explicitly allow it back through your firewall.

Add this to you config

1) access-list outside_in permit icmp host 10.1.10.1 any (note you can change the any to a host from your internal network)

2) access-group outside_in in interface outside.

HTH

Jon

New Member

Re: PIX-506e: Help with NAT setup (newbie)

Jon,

No, the 8014 is a cable modem/router. It NATs from the internet address to 10.1.10.x (it gave the PIX 10.1.10.103).

I'm only using ping as an example. I don't think anything is routed through to the cable router. If I connect a PC directly to the cable router everything works fine. But I can't seem to get anything across the PIX.

Thanks,

Dean

cbz
New Member

Re: PIX-506e: Help with NAT setup (newbie)

What rules do you have on your inside interface?

New Member

Re: PIX-506e: Help with NAT setup (newbie)

I've attached my entire config.

Is there a document or website that gives a detailed explanation of all terminal commands and their syntax for the 506e?

Thanks,

dpm

cbz
New Member

Re: PIX-506e: Help with NAT setup (newbie)

You have some statements in the pix that are not needed. But below is the config to allow icmp back into the network.

1. Check to see if you have a route to the outside world.

Show route

You should see something like ;

outside 0.0.0.0 0.0.0.0 10.1.10.254

Next paste the following config changes in.

config t

no global (inside) 1 interface

access-list outside permit icmp any any echo-reply

access-list outside permit icmp any any time-exceeded

access-list outside permit icmp any any unreachable

access-group outside in interface outside

exit

wr me

Next from the pix try to ping outside.

ping outside 216.109.112.135

From your PC ping 216.109.112.135

What works and doesn't work?

Green

Re: PIX-506e: Help with NAT setup (newbie)

You won't get too far with this either..remove these.

access-list inside_access_in permit icmp 192.168.0.0 255.255.255.0 host 10.1.10.1 echo

access-group inside_access_in in interface inside

and what is the purpose of this, you should not need it.

static (inside,outside) 192.168.0.0 192.168.0.0 dns netmask 255.255.255.0 0 0

New Member

Re: PIX-506e: Help with NAT setup (newbie)

Thanks everyone - this solved the problem.

I appreciate your help.

Is there ia document that describes, in detail, the CLI commands, their syntax and what the various parameters mean? I'm just monkey-see-monkey-do at his point, and I really need to get a better understanding of what these commands do.

Thanks,

dpm

Green

Re: PIX-506e: Help with NAT setup (newbie)

What fixed it?

Here's everything you ever wanted to know about PIX.

http://cisco.com/en/US/products/sw/secursw/ps2120/tsd_products_support_series_home.html

Command references have all cli commands. Also check out the configuration guides.

Please rate these if they help.

New Member

Re: PIX-506e: Help with NAT setup (newbie)

Here's what my final config looks like:

access-list inside_access_in permit icmp 192.168.0.0 255.255.255.0 host 10.1.10.1 echo

access-list outside_access_in permit icmp interface outside 192.168.0.0 255.255.255.0 echo-reply

access-list icmp1 permit icmp any any

global (outside) 2 interface

global (inside) 1 interface

nat (inside) 2 0.0.0.0 0.0.0.0 dns 0 0

access-group icmp1 in interface outside

Thanks,

dpm

321
Views
5
Helpful
9
Replies
CreatePlease to create content