I am testing a Pix prior to configuring IPSEC settings on the outside interface. The folks I am working with need to be able to Ping the outside interface of our Pix. I cannot figure out what I am missing that will not allow me to ping the outside interface from the internet.
I can ping the outside interface of the Pix from my router which is connected to the Outside interface of the PIX and I can ping both the outside and inside address of my router. The inside address of the router is in the same ip address set and subnet as the outside interface of the Pix.
Even if your outside interface isn't truly your connection to the Internet, you still need a default route pointing out whatever interface does connect. So let's say your "dmz" interface connects to the Internet, then just add:
> route dmz 0.0.0.0 0.0.0.0 x.x.x.x
where x.x.x.x is the IP address of the router that connects to the PIX's DMZ interface.
In short, you have to tell the PIX how to get to the rest of the world, it can only route packets that it knows how to get to, if it doesn't have a route then it can't forward them on.
--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
I have a default route and everyone can get out to the internet, and it is pointing to the router that connects the users to the internet.
I have pasted an older confiig that should be an older version of the one currently on the pix.
Take a look and see what needs fixing. This is my first time to deal with so many interfaces.
The IPs are not the real IPAddress to the networks but they will fit as an example.
nameif ethernet0 net security50
nameif ethernet1 dmz1sher security85
nameif ethernet2 dmz2tx security65
nameif ethernet3 outside security0
nameif ethernet4 dmz3live security95
nameif ethernet5 intf5 security25
enable ** moderator edit **
passwd ** moderator edit **
hostname ** moderator edit **
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
access-list acl_out permit icmp any any
access-list acl_out permit tcp any any
access-list acl_out permit tcp any host 192.168.0.3
access-list acl_in permit tcp any any
access-list acl_in permit icmp any any
access-list 101 permit ip nnn.nn.nn.0 255.255.255.240 yyy.yy.yy.0 255.255.255.0
access-list 101 permit ip nnn.nn.nn.0 255.255.255.240 nnn.nn.nn.240 255.255.255.248
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :