Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Inside to Outside

Hi,

I have a PIX-501:

Cisco PIX Firewall Version 6.3(4)

Cisco PIX Device Manager Version 3.0(2)

The problem is that my firewall stops all traffic from inside -> Outside. And it have worked fine until two weeks ago and I have not done any new config on the firewall.

I can’t surf, ftp, ping any thing from inside to the outside.

I have understood that all traffic from the inside to outside is handled by nat.

Here is my config:

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

global (outside) 1 interface

Is this okay? Should it bee something more?

Does any one have a clue what to look on or what to test?

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Inside to Outside

apply "icmp permit 0 0 0 outside".

with this command, no host can ping the pix outside interface; while pix outside interface will be able to ping the internet.

13 REPLIES

Re: Inside to Outside

Hi

The nast statement and the global statement indicates that you are well up with PAT in ur PIX and the things shuld work out for u.

can you clear the translations using clear xlate and try access something in the outside network and try checking the translations using show xlate command..

if possibe do post out O/P of the show xlate command here..

also if possible the config of ur F/W...

regds

New Member

Re: Inside to Outside

Hi,

I did not run clear xlate because last time I ran that the firewall hanged and the firewall is not located near me. : )

I ran ping –t and tryed to connect with ftp from inside to outside:

pixfirewall(config)# sh xlate

5 in use, 27 most used

PAT Global firewall_ip(2155) Local EjectIIS1(3653)

PAT Global firewall_ip(1650) Local EjectIIS1(2575)

PAT Global firewall_ip(1) Local EjectIIS1 ICMP id 512

PAT Global firewall_ip(22) Local EjectIIS1(22)

PAT Global firewall_ip(80) Local EjectIIS1(80)

[RUNNING CONFIG]

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 10.10.1.2 EjectIIS1

name xxx.xxx.xxx.xxx firewall_ip

name 10.10.1.3 EjectIIS1_ilo

access-list 111 permit tcp any host firewall_ip eq www

access-list 111 permit tcp any host firewall_ip eq ssh

access-list 111 permit tcp any host firewall_ip eq 7589

access-list 111 permit tcp any host firewall_ip eq smtp

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside firewall_ip 255.255.255.128

ip address inside 10.10.1.1 255.255.255.0

New Member

Re: Inside to Outside

[RUNNING CONFIG]

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 10.10.1.2 EjectIIS1

name xxx.xxx.xxx.xxx firewall_ip

name 10.10.1.3 EjectIIS1_ilo

access-list 111 permit tcp any host firewall_ip eq www

access-list 111 permit tcp any host firewall_ip eq ssh

access-list 111 permit tcp any host firewall_ip eq 7589

access-list 111 permit tcp any host firewall_ip eq smtp

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside firewall_ip 255.255.255.128

ip address inside 10.10.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location EjectIIS1 255.255.255.255 inside

pdm location EjectIIS1_ilo 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www EjectIIS1 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ssh EjectIIS1 ssh netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 7589 EjectIIS1_ilo https netmask 255.255.255.255 0 0

static (inside,outside) tcp interface smtp EjectIIS1 smtp netmask 255.255.255.255 0 0

access-group 111 in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.10.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address EjectIIS1-10.10.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Gold

Re: Inside to Outside

maybe we should start from the pix rather than the inside.

"sh int" to verify the interface status.

"sh ip" to verify the public ip if adsl/pppoe has been configured for the outside interface.

also, ping the internet from the pix directly.

New Member

Re: Inside to Outside

Hi,

Thx for a fast reply…

pixfirewall(config)# sh ip

System IP Addresses:

ip address outside firewall_ip 255.255.255.128

ip address inside 10.10.1.1 255.255.255.0

Current IP Addresses:

ip address outside firewall_ip 255.255.255.128

ip address inside 10.10.1.1 255.255.255.0

pixfirewall(config)# sh int

interface ethernet0 "outside" is up, line protocol is up

Hardware is i82559 ethernet, address is 0013.7f6d.4a49

IP address XXX.XXX.XXX.XXX, subnet mask 255.255.255.128

MTU 1500 bytes, BW 100000 Kbit full duplex

2985477 packets input, 441042258 bytes, 0 no buffer

Received 278332 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

3721743 packets output, 40051821 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/19)

output queue (curr/max blocks): hardware (0/43) software (0/1)

interface ethernet1 "inside" is up, line protocol is up

Hardware is i82559 ethernet, address is 0013.7f6d.4a4a

IP address 10.10.1.1, subnet mask 255.255.255.0

MTU 1500 bytes, BW 100000 Kbit full duplex

3726670 packets input, 41700863 bytes, 0 no buffer

Received 2860 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

2704126 packets output, 417199711 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/43)

output queue (curr/max blocks): hardware (0/25) software (0/1)

When I try to ping an IP direct from the pix it work just fine…

And the rule to access from outside to Inside (EjectIIS1) is working fine both ssh, smtp and http.

New Member

Re: Inside to Outside

Hi, again

I have a static IP from my ISP and it has not been changed since I configured the firewall for one year ago. So I don’t think that’s the problem.

I talked to my ISP now and asked if they have maid any changes the past two weeks but they had not. : (

I know that they have a firewall that my firewall I behind. But it should be configured to permit all inside -> outside and outside -> inside. But if I can ping from my firewall to www and not from my server behind my firewall to www. It must bee my firewall that has problem then???

(Sorry for my bad English, hope you understand)

Best regards,

Björn Kallin

New Member

Re: Inside to Outside

You are not able to ping the Internet from your server because access-list 111 does not allow it. Try adding these lines:

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any unreachable

access-list 111 permit icmp any any time-exceeded

These will allow your inside hosts to ping and traceroute to the Internet but now allow the Intetnet to ping or traceroute you.

-Mark

New Member

Re: Inside to Outside

Hi,

After have squeeze my ISP from information about the config of theirs firewall they notice that the firewall was bloking all inside -> outside traffice. And when they opened it again everything started working.

Sorry for the inconvenience!

But I tried to ping the internet inside my firewall and it still not working.

My access-list 111 is not only for traffic outside -> inside??

With the command: “access-group 111 in interface outside”

If I apply this:

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any unreachable

access-list 111 permit icmp any any time-exceeded

Do it not open up for outside to ping my inside or is that what the static command permit?

Re: Inside to Outside

Hi

These ACL Entries will allow the echo-reply which is required to confirm whether the pinged host is live or dead and other notification messages like unreachable,time-exceeded.

Echo-reply is attached with ICMP-Echoes which is being sent from the hosts to validate or as a reply u get echo-replies from the other end as a notification which represents the status of the remote end host..

regds

142
Views
0
Helpful
13
Replies
This widget could not be displayed.