Hi,

I did not run clear xlate because last time I ran that the firewall hanged and the firewall is not located near me. : )

I ran ping –t and tryed to connect with ftp from inside to outside:

pixfirewall(config)# sh xlate

5 in use, 27 most used

PAT Global firewall_ip(2155) Local EjectIIS1(3653)

PAT Global firewall_ip(1650) Local EjectIIS1(2575)

PAT Global firewall_ip(1) Local EjectIIS1 ICMP id 512

PAT Global firewall_ip(22) Local EjectIIS1(22)

PAT Global firewall_ip(80) Local EjectIIS1(80)

[RUNNING CONFIG]

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 10.10.1.2 EjectIIS1

name xxx.xxx.xxx.xxx firewall_ip

name 10.10.1.3 EjectIIS1_ilo

access-list 111 permit tcp any host firewall_ip eq www

access-list 111 permit tcp any host firewall_ip eq ssh

access-list 111 permit tcp any host firewall_ip eq 7589

access-list 111 permit tcp any host firewall_ip eq smtp

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside firewall_ip 255.255.255.128

ip address inside 10.10.1.1 255.255.255.0

[RUNNING CONFIG]

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 10.10.1.2 EjectIIS1

name xxx.xxx.xxx.xxx firewall_ip

name 10.10.1.3 EjectIIS1_ilo

access-list 111 permit tcp any host firewall_ip eq www

access-list 111 permit tcp any host firewall_ip eq ssh

access-list 111 permit tcp any host firewall_ip eq 7589

access-list 111 permit tcp any host firewall_ip eq smtp

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside firewall_ip 255.255.255.128

ip address inside 10.10.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location EjectIIS1 255.255.255.255 inside

pdm location EjectIIS1_ilo 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www EjectIIS1 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ssh EjectIIS1 ssh netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 7589 EjectIIS1_ilo https netmask 255.255.255.255 0 0

static (inside,outside) tcp interface smtp EjectIIS1 smtp netmask 255.255.255.255 0 0

access-group 111 in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.10.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address EjectIIS1-10.10.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

maybe we should start from the pix rather than the inside.

"sh int" to verify the interface status.

"sh ip" to verify the public ip if adsl/pppoe has been configured for the outside interface.

also, ping the internet from the pix directly.

Hi,

Thx for a fast reply…

pixfirewall(config)# sh ip

System IP Addresses:

ip address outside firewall_ip 255.255.255.128

ip address inside 10.10.1.1 255.255.255.0

Current IP Addresses:

ip address outside firewall_ip 255.255.255.128

ip address inside 10.10.1.1 255.255.255.0

pixfirewall(config)# sh int

interface ethernet0 "outside" is up, line protocol is up

Hardware is i82559 ethernet, address is 0013.7f6d.4a49

IP address XXX.XXX.XXX.XXX, subnet mask 255.255.255.128

MTU 1500 bytes, BW 100000 Kbit full duplex

2985477 packets input, 441042258 bytes, 0 no buffer

Received 278332 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

3721743 packets output, 40051821 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/19)

output queue (curr/max blocks): hardware (0/43) software (0/1)

interface ethernet1 "inside" is up, line protocol is up

Hardware is i82559 ethernet, address is 0013.7f6d.4a4a

IP address 10.10.1.1, subnet mask 255.255.255.0

MTU 1500 bytes, BW 100000 Kbit full duplex

3726670 packets input, 41700863 bytes, 0 no buffer

Received 2860 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

2704126 packets output, 417199711 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/43)

output queue (curr/max blocks): hardware (0/25) software (0/1)

When I try to ping an IP direct from the pix it work just fine…

And the rule to access from outside to Inside (EjectIIS1) is working fine both ssh, smtp and http.

Hi, again

I have a static IP from my ISP and it has not been changed since I configured the firewall for one year ago. So I don’t think that’s the problem.

I talked to my ISP now and asked if they have maid any changes the past two weeks but they had not. : (

I know that they have a firewall that my firewall I behind. But it should be configured to permit all inside -> outside and outside -> inside. But if I can ping from my firewall to www and not from my server behind my firewall to www. It must bee my firewall that has problem then???

(Sorry for my bad English, hope you understand)

Best regards,

Björn Kallin

You are not able to ping the Internet from your server because access-list 111 does not allow it. Try adding these lines:

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any unreachable

access-list 111 permit icmp any any time-exceeded

These will allow your inside hosts to ping and traceroute to the Internet but now allow the Intetnet to ping or traceroute you.

-Mark

Hi,

After have squeeze my ISP from information about the config of theirs firewall they notice that the firewall was bloking all inside -> outside traffice. And when they opened it again everything started working.

Sorry for the inconvenience!

But I tried to ping the internet inside my firewall and it still not working.

My access-list 111 is not only for traffic outside -> inside??

With the command: “access-group 111 in interface outside”

If I apply this:

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any unreachable

access-list 111 permit icmp any any time-exceeded

Do it not open up for outside to ping my inside or is that what the static command permit?

Hi

These ACL Entries will allow the echo-reply which is required to confirm whether the pinged host is live or dead and other notification messages like unreachable,time-exceeded.

Echo-reply is attached with ICMP-Echoes which is being sent from the hosts to validate or as a reply u get echo-replies from the other end as a notification which represents the status of the remote end host..

regds

with these 3 entries, you will be able to ping outside from the inside; but outside can't ping the inside.

It worked just fine, thanks!!

With my running config as it looks right now it’s possible to ping the public IP (The firewall) how do I block that?

it's good to learn that your issue has been resolved.

according to cisco,

Why should I rate posts?

If you see a post that you think deserves recognition, please take a moment to rate it.

You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page.