Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
295
Views
0
Helpful
3
Replies

501 to internal host.

jbnutter
Level 1
Level 1

‎04-16-2003 03:46 PM - edited ‎03-09-2019 02:56 AM

I am a total cisco newbie, so please don't make fun if me if I am doing something totally stupid.

I am haveing some problems setting up my pix 501 to allow access to an internal host. I originally tried the web based setup for the 501, but it didn't work. So I am trying the command line to set it up. So, here goes.

I am trying to allow access to an internal web server (and allow icmp packets, ping, to reach it). Here is one of many things i have tried.

(*all IP's are used as examples only)

Internal IP of HOST - 192.168.1.1

Internal IP of PIX - 192.168.1.3

External IP of PIX - 99.99.99.99

O.K.. So I set up the internal and external interfaces (by default, the 501 names them inside and outside, go figure).

I then ping the external ip from and external machine and the internal ip (of the pix) from an internal ip. They both work fine. Time to move on.

I then set up a static nat.

static (inside,outside) 99.99.99.99 192.168.1.1 netmask 255.255.255.255 0 0

When I do this, I can no longer ping the outside IP address of the pix. Thats how it's supposed to be (I assume). I have to set up permissions.. Since the 501 doesn't support access-list. I have to use conduit.

conduit permit icmp host 99.99.99.99 eq icmp all

I have tried various commands on the conduit command includeing

conduit permit tcp host 99.99.99.99 eq http any (etc, etc, etc).. Each time trying the approprait thing I had tried to set up (web, mail, telnet, ftp, etc. etc.)..

I have NO idea what I am doing wrong here. Nothing seems to work. As soon as I start setting up the static nat, nothing seems to work any longer..

help??

Labels:
0 Helpful
3 Replies 3

kmarrero
Level 4
Level 4

‎04-17-2003 07:39 AM

Take a look at this Technical Tips page. There are sample configurations for NAT and conduits. There are other links on there as well that will help you in the future. http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=Software_Configuration#Software_Samples_and_Tips

0 Helpful

jbnutter
Level 1
Level 1
In response to kmarrero

‎04-17-2003 08:21 AM

Yes, I did.. Have it set up exactly as discribed in this link (with the correct IP's, of course). Still doesn't work though.

http://www.cisco.com/warp/public/110/23.html

0 Helpful

tvanginneken
Level 4
Level 4

‎04-17-2003 12:39 PM

"Since the 501 doesn't support access-list. I have to use conduit"?????

The PIX 501 does support access-lists!!!!!!!

Please have a look at this URL for more info (skip the conduit commands):

http://www.cisco.com/warp/public/707/28.html

Kind Regards,

Tom

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents