04-18-2002 07:06 AM - edited 03-08-2019 10:21 PM
Hello,
We are using a PIX (2 interface). Im trying to add an inbound connection to our server inside the network.
The inside address is 201.180.60.60 and the outside address is 230.31.103.188. First thing I did was to try to ping the outside address (230.31.103.188) in the firewall itself, I used the config below. Is this correct? I can't seamed to ping the 230.31.103.188, do you think this is normal? I tried to ping from our router outside, it does not reply either, can anyone help? Thanks in advance.
: Saved
:
PIX Version 5.3(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname PIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
access-list acl_out permit icmp any host 230.13.200.188
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 230.13.200.187 255.255.255.248
ip address inside 201.180.60.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 230.13.200.189-230.13.200.190 netmask 255.255.255.248
nat (inside) 1 201.180.60.0 255.255.255.0 100 50
alias (inside) 201.180.60.60 230.13.200.188 255.255.255.255
static (inside,outside) 230.13.200.189 201.180.60.252 netmask 255.255.255.255 0
0
static (inside,outside) 230.13.200.188 201.180.60.60 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 230.13.200.186 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet 172.16.16.11 255.255.255.255 inside
telnet 201.180.60.60 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
terminal width 80
PIX(config)# show xlate
Global 230.13.200.189 Local 201.180.60.252 static
Global 230.13.200.188 Local 201.180.60.60 static
Global 230.13.200.190 Local 201.180.60.157
04-19-2002 11:51 PM
I noticed that the outside IP address 230.31.103.188 has a different IP network address outside which is 230.13.200.187. For sure it won't ping because it has different network address. It seems that 230 is not Class C address because class C is from 192 to 223 only.
04-20-2002 03:42 AM
Hi,
Thanks for the respond, anyways, I entered the wrong address at the top, it should be 230.13.200.*. This sub net is just a sample, I replaced my real external subnet id to this one, just incase theres hackers snooping around this forum.
What Im trying to do here is map the external address 230.13.200.188 to the internal one 201.180.60.60. Note that 230.13.200.187 is my PIX515. You mean I have to map to the pix address (230.13.200.187)?
regards,
eric
04-20-2002 09:49 AM
you do not need to map the inside host to the outside interface. Have you try to ping the outside interface from a client? your conifg looks fine
04-29-2002 10:26 AM
Hi,
If you haven't resolved this as yet. I don't see a route statement for the inside for the pix to get to your inside subnets.
Hope this helps.
04-29-2002 10:48 AM
Your access-list is the problem. What you are doing is premiting Icmp from any host on the outside to host 230.13.200.188.
I beileve you have to specify if you want the host to send echo or just to reply.
SERVER RESPONDING TO OUTSIDE HOSTS
try this access-list acl_out permit icmp any host 230.13.200.188 echo
access-list acl_out permit icmp any host 230.13.200.188 echo-reply
PING FROM INSIDE
access-list acl_out permit icmp host 230.13.200.188 any echo
access-list acl_out permit icmp host 230.13.200.188 any echo-reply.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: