Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Allowing traffic to flow from different interface

I have installed another interface on my PIX and connected hosts to it. It is a lower security than my inside. I am not doing tanslations so my understanding is that I do not need a NAT or Global statement. I have created a static entry though. I cannot ping the host on that interface.

Thanks

  • Other Security Subjects
2 REPLIES
Cisco Employee

Re: Allowing traffic to flow from different interface

If you're pinging from a host on the inside, then you need to add an access-list specifically for ICMP traffic. The PIX does open up holes for TCP and UDP traffic and allow it to come back in, this does not hold true for ICMP traffic though.

Try adding the following:

access-list NewInterfaceACL permit icmp any any

access-group NewInterfaceACL in interface

Then try pinging from the inside interface. Note the static that you said you've added will need to look something like:

static (inside,newint) mask

which says that traffic from the inside network going to newint will not be translated, but it will be allowed through.

New Member

Re: Allowing traffic to flow from different interface

Let me ask a question regarding your configuration. Since your not doing translations what is your DMZ interface's ip address? a public address? Any chance of you posting your config (minus public address of course)? I have to setup the same type configuration and need a reference point.

Thanks in advance.

84
Views
0
Helpful
2
Replies
This widget could not be displayed.