Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
274
Views
5
Helpful
3
Replies

Inside to Outside on Pix 501

Mike.VanHoff
Level 1
Level 1

‎02-28-2006 11:42 AM - edited ‎02-21-2020 12:44 AM

I have a pix 501 10 user. I can ping from the console to any public IP Address, but not from an inside address. I am including my config in hopes that someone can tell me what I am doing wrong for my inside to outside connectivity. TIA

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside ecurity100

enable password xxxx

passwd xxxx

hostname BarberPix

domain-name barberatty.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

mtu outside 1500

mtu inside 1500

ip address outside 12.39.123.70 255.255.255.128

ip address inside 192.168.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.10.0 255.255.255.0 0 0

route outside 0.0.0.0 0.0.0.0 12.39.123.3 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.10.2-192.168.10.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

0 Helpful
3 Replies 3

Patrick Iseli
Level 7
Level 7

‎02-28-2006 12:16 PM

You need to configure an access-list to allow the icmp replys from the Internet. Note that ICMP is not a stateful protocol.

ICMP Traffic on PIX Firewall

Source:

The PIX and the traceroute Command

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

Handling ICMP Pings with the PIX Firewall

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Access-List example for traceroute :

#Microsoft:

access-list 101 permit icmp any interface outside unreachable

access-list 101 permit icmp any interface outside time-exceeded

access-list 101 permit icmp any interface outside echo-reply

#UNIX:

access-list 101 permit icmp any interface outside unreachable

access-list 101 permit icmp any interface outside time-exceeded

#Finaly activate the ACL on the interface:

access-group 101 in interface outside

sincerely

Patrick

Mike.VanHoff
Level 1
Level 1
In response to Patrick Iseli

‎02-28-2006 12:26 PM

Thanks that did the trick along with dns entries, I am good to go.

0 Helpful

stomasko
Level 4
Level 4

‎02-28-2006 12:17 PM

Do you have a dns server configured on the machines? I notice there isn't one in the config.

Steve

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card