01-03-2006 02:41 AM - edited 03-09-2019 01:31 PM
Hi,
I have a PIX-501:
Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(2)
The problem is that my firewall stops all traffic from inside -> Outside. And it have worked fine until two weeks ago and I have not done any new config on the firewall.
I cant surf, ftp, ping any thing from inside to the outside.
I have understood that all traffic from the inside to outside is handled by nat.
Here is my config:
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 interface
Is this okay? Should it bee something more?
Does any one have a clue what to look on or what to test?
Solved! Go to Solution.
01-05-2006 03:34 AM
apply "icmp permit 0 0 0 outside".
with this command, no host can ping the pix outside interface; while pix outside interface will be able to ping the internet.
01-03-2006 03:01 AM
Hi
The nast statement and the global statement indicates that you are well up with PAT in ur PIX and the things shuld work out for u.
can you clear the translations using clear xlate and try access something in the outside network and try checking the translations using show xlate command..
if possibe do post out O/P of the show xlate command here..
also if possible the config of ur F/W...
regds
01-03-2006 04:32 AM
Hi,
I did not run clear xlate because last time I ran that the firewall hanged and the firewall is not located near me. : )
I ran ping t and tryed to connect with ftp from inside to outside:
pixfirewall(config)# sh xlate
5 in use, 27 most used
PAT Global firewall_ip(2155) Local EjectIIS1(3653)
PAT Global firewall_ip(1650) Local EjectIIS1(2575)
PAT Global firewall_ip(1) Local EjectIIS1 ICMP id 512
PAT Global firewall_ip(22) Local EjectIIS1(22)
PAT Global firewall_ip(80) Local EjectIIS1(80)
[RUNNING CONFIG]
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.10.1.2 EjectIIS1
name xxx.xxx.xxx.xxx firewall_ip
name 10.10.1.3 EjectIIS1_ilo
access-list 111 permit tcp any host firewall_ip eq www
access-list 111 permit tcp any host firewall_ip eq ssh
access-list 111 permit tcp any host firewall_ip eq 7589
access-list 111 permit tcp any host firewall_ip eq smtp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside firewall_ip 255.255.255.128
ip address inside 10.10.1.1 255.255.255.0
01-03-2006 04:52 AM
[RUNNING CONFIG]
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.10.1.2 EjectIIS1
name xxx.xxx.xxx.xxx firewall_ip
name 10.10.1.3 EjectIIS1_ilo
access-list 111 permit tcp any host firewall_ip eq www
access-list 111 permit tcp any host firewall_ip eq ssh
access-list 111 permit tcp any host firewall_ip eq 7589
access-list 111 permit tcp any host firewall_ip eq smtp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside firewall_ip 255.255.255.128
ip address inside 10.10.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location EjectIIS1 255.255.255.255 inside
pdm location EjectIIS1_ilo 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www EjectIIS1 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ssh EjectIIS1 ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 7589 EjectIIS1_ilo https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp EjectIIS1 smtp netmask 255.255.255.255 0 0
access-group 111 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address EjectIIS1-10.10.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
01-03-2006 05:14 AM
maybe we should start from the pix rather than the inside.
"sh int" to verify the interface status.
"sh ip" to verify the public ip if adsl/pppoe has been configured for the outside interface.
also, ping the internet from the pix directly.
01-03-2006 05:43 AM
Hi,
Thx for a fast reply
pixfirewall(config)# sh ip
System IP Addresses:
ip address outside firewall_ip 255.255.255.128
ip address inside 10.10.1.1 255.255.255.0
Current IP Addresses:
ip address outside firewall_ip 255.255.255.128
ip address inside 10.10.1.1 255.255.255.0
pixfirewall(config)# sh int
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0013.7f6d.4a49
IP address XXX.XXX.XXX.XXX, subnet mask 255.255.255.128
MTU 1500 bytes, BW 100000 Kbit full duplex
2985477 packets input, 441042258 bytes, 0 no buffer
Received 278332 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
3721743 packets output, 40051821 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/19)
output queue (curr/max blocks): hardware (0/43) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0013.7f6d.4a4a
IP address 10.10.1.1, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
3726670 packets input, 41700863 bytes, 0 no buffer
Received 2860 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
2704126 packets output, 417199711 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/43)
output queue (curr/max blocks): hardware (0/25) software (0/1)
When I try to ping an IP direct from the pix it work just fine
And the rule to access from outside to Inside (EjectIIS1) is working fine both ssh, smtp and http.
01-03-2006 06:53 AM
Hi, again
I have a static IP from my ISP and it has not been changed since I configured the firewall for one year ago. So I dont think thats the problem.
I talked to my ISP now and asked if they have maid any changes the past two weeks but they had not. : (
I know that they have a firewall that my firewall I behind. But it should be configured to permit all inside -> outside and outside -> inside. But if I can ping from my firewall to www and not from my server behind my firewall to www. It must bee my firewall that has problem then???
(Sorry for my bad English, hope you understand)
Best regards,
Björn Kallin
01-03-2006 07:50 AM
You are not able to ping the Internet from your server because access-list 111 does not allow it. Try adding these lines:
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any unreachable
access-list 111 permit icmp any any time-exceeded
These will allow your inside hosts to ping and traceroute to the Internet but now allow the Intetnet to ping or traceroute you.
-Mark
01-04-2006 02:09 AM
Hi,
After have squeeze my ISP from information about the config of theirs firewall they notice that the firewall was bloking all inside -> outside traffice. And when they opened it again everything started working.
Sorry for the inconvenience!
But I tried to ping the internet inside my firewall and it still not working.
My access-list 111 is not only for traffic outside -> inside??
With the command: access-group 111 in interface outside
If I apply this:
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any unreachable
access-list 111 permit icmp any any time-exceeded
Do it not open up for outside to ping my inside or is that what the static command permit?
01-04-2006 05:03 AM
Hi
These ACL Entries will allow the echo-reply which is required to confirm whether the pinged host is live or dead and other notification messages like unreachable,time-exceeded.
Echo-reply is attached with ICMP-Echoes which is being sent from the hosts to validate or as a reply u get echo-replies from the other end as a notification which represents the status of the remote end host..
regds
01-04-2006 07:55 PM
with these 3 entries, you will be able to ping outside from the inside; but outside can't ping the inside.
01-05-2006 02:51 AM
It worked just fine, thanks!!
With my running config as it looks right now its possible to ping the public IP (The firewall) how do I block that?
01-05-2006 03:34 AM
it's good to learn that your issue has been resolved.
according to cisco,
Why should I rate posts?
If you see a post that you think deserves recognition, please take a moment to rate it.
You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page.
01-05-2006 03:34 AM
apply "icmp permit 0 0 0 outside".
with this command, no host can ping the pix outside interface; while pix outside interface will be able to ping the internet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide