I have a 515e working fine at one location, but my 501 at a different location will not pass traffic through.
I have a DSL modem connected to the 501 on the outside interface, vpdn is authenticating to it over pppoe. I can ping the outside world from within the firewall over console or telnet, and I can ping the internal network 192.168.51.0 from within the firewall. From the network (51.0 ) I can ping the firewall's inside nic (192.168.51.1) but cannot ping or see any traffic through to the outside interface.
The following is my config:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******** encrypted
passwd ********* encrypted
access-list acl_outbound permit ip 192.168.51.0 255.255.255.0 any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.51.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_outbound in interface inside
...aaa and http server entries, snmp, etc
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname yearround2
vpdn group pppoex ppp authentication pap
vpdn username **** password *******
What am I missing here? I have compared it to my 515e's settings and cant see where its not crossing.
No, its not that. If you notice I do have two icmp permit lines in there. These from my understanding supercede the access-lists, and I have also tried ,just to make sure it wasnt the lack of an access-list inbound, to put a permit ip any any on the outside interface and that didnt help.
I fear its something to do with my nat or global, but for the life of me I dont see it. What I did for the 515e isnt working on this one.
Thanks for your help though and for any more anyone can offer.
Your nat and global commands are correct. I have a PIX 501 at home w/ the same commands. The icmp command applies to traffic terminating on the PIX's interface, where the access-list and conduit command applies to traffic passing through the PIX.
well, I can now ping out at least, I still dont have a DNS server at this location since we are supposed to be using the one on the other side of a VPN I am trying to erect between the two PIX's, but this part of my issues seems to be resolved. :)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...