cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
573
Views
0
Helpful
5
Replies

Adding inbound connection

lopeze1
Level 1
Level 1

Hello,

We are using a PIX (2 interface). Im trying to add an inbound connection to our server inside the network.

The inside address is 201.180.60.60 and the outside address is 230.31.103.188. First thing I did was to try to ping the outside address (230.31.103.188) in the firewall itself, I used the config below. Is this correct? I can't seamed to ping the 230.31.103.188, do you think this is normal? I tried to ping from our router outside, it does not reply either, can anyone help? Thanks in advance.

: Saved

:

PIX Version 5.3(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname PIX

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

names

access-list acl_out permit icmp any host 230.13.200.188

pager lines 24

logging on

no logging timestamp

no logging standby

no logging console

no logging monitor

no logging buffered

no logging trap

no logging history

logging facility 20

logging queue 512

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 230.13.200.187 255.255.255.248

ip address inside 201.180.60.253 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

global (outside) 1 230.13.200.189-230.13.200.190 netmask 255.255.255.248

nat (inside) 1 201.180.60.0 255.255.255.0 100 50

alias (inside) 201.180.60.60 230.13.200.188 255.255.255.255

static (inside,outside) 230.13.200.189 201.180.60.252 netmask 255.255.255.255 0

0

static (inside,outside) 230.13.200.188 201.180.60.60 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 230.13.200.186 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

isakmp identity hostname

telnet 172.16.16.11 255.255.255.255 inside

telnet 201.180.60.60 255.255.255.255 inside

telnet timeout 60

ssh timeout 5

terminal width 80

PIX(config)# show xlate

Global 230.13.200.189 Local 201.180.60.252 static

Global 230.13.200.188 Local 201.180.60.60 static

Global 230.13.200.190 Local 201.180.60.157

5 Replies 5

jruelo
Level 1
Level 1

I noticed that the outside IP address 230.31.103.188 has a different IP network address outside which is 230.13.200.187. For sure it won't ping because it has different network address. It seems that 230 is not Class C address because class C is from 192 to 223 only.

lopeze1
Level 1
Level 1

Hi,

Thanks for the respond, anyways, I entered the wrong address at the top, it should be 230.13.200.*. This sub net is just a sample, I replaced my real external subnet id to this one, just incase theres hackers snooping around this forum.

What Im trying to do here is map the external address 230.13.200.188 to the internal one 201.180.60.60. Note that 230.13.200.187 is my PIX515. You mean I have to map to the pix address (230.13.200.187)?

regards,

eric

you do not need to map the inside host to the outside interface. Have you try to ping the outside interface from a client? your conifg looks fine

Hi,

If you haven't resolved this as yet. I don't see a route statement for the inside for the pix to get to your inside subnets.

Hope this helps.

gspencer
Level 1
Level 1

Your access-list is the problem. What you are doing is premiting Icmp from any host on the outside to host 230.13.200.188.

I beileve you have to specify if you want the host to send echo or just to reply.

SERVER RESPONDING TO OUTSIDE HOSTS

try this access-list acl_out permit icmp any host 230.13.200.188 echo

access-list acl_out permit icmp any host 230.13.200.188 echo-reply

PING FROM INSIDE

access-list acl_out permit icmp host 230.13.200.188 any echo

access-list acl_out permit icmp host 230.13.200.188 any echo-reply.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: