03-15-2006 06:50 PM - edited 02-21-2020 12:46 AM
[R4] --- PIX --- [R1]
I need to configure a static route for 10.1.1.x network on R4 and configure PIX so that R4
can ping 10.1.1.1 (R1). But, the configuration does not seem to work.
R4
!
interface Ethernet0
ip address 20.x.x.x.x.255.0
!
ip route 10.1.1.1 255.255.255.0 20.1.24.254
!
PIX
!
nameif ethernet0 inside security100
nameif ethernet1 outside security0
!
ip address inside 10.1.1.254 255.255.255.0
ip address outside 20.x.x.x.x.255.0
!
static (inside,outside) 20.x.x.x.x.1.1 netmask 255.255.255.255 0 0
access-list MYACLOUT permit ip host 20.1.24.4 host 10.1.1.1
access-group MYACLOUT in interface outside
icmp permit host 20.1.24.4 echo outside
!
icmp deny any outside
icmp deny any inside
!
R1
!
interface Ethernet0
ip address 10.1.1.1 255.255.255.0
!
Ping does not work ?
R4# ping 10.1.1.1
....
03-15-2006 07:24 PM
Hi,
Can you try the following config on the PIX:
static (inside,outside) 10.1.1.1 10.1.1.1 netmask 255.255.255.255 0 0
instead of:
static (inside,outside) 20.1.24.4 10.1.1.1 netmask 255.255.255.255 0 0
Hope that helps - pls rate the post if it does.
Paresh
03-16-2006 06:28 AM
No, it did not work.
R4#ping 20.1.24.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.24.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R4#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4#
03-16-2006 07:07 AM
No, it did not work.
R4#ping 20.1.24.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.24.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R4#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4#
03-16-2006 08:29 AM
the icmp permit host 20.1.24.4 echo outside is allowing the host 20.1.24.2 to ping the pix, not the server that you have the static for. Add ICMP to your access-list and you should be good to go.
access-list MYACLOUT permit icmp any host 20.1.24.4
Hope this helps.
04-03-2006 06:42 AM
Simple!
Need to have a route back,
Type the following command on R1:
ip route 20.0.0.0 255.0.0.0 10.1.1.254
It should work after that...
All the best.
04-13-2006 07:59 AM
This should get you started:
R4:
no ip route 10.1.1.1 255.255.255.0 20.1.24.254
ip route 10.1.1.0 255.255.255.0 20.1.24.254
PIX:
ip address outside 20.1.24.254 255.255.255.0
no static (inside,outside) 20.x.x.x.x.1.1 netmask 255.255.255.255 0 0
static (inside,outside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0
access-list MYACLOUT permit icmp any any
no access-list MYACLOUT permit ip host 20.1.24.4 host 10.1.1.1
route outside 0.0.0.0 0.0.0.0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: