Ok I am about to pull out my hair over this. I have a PIX 501 setup at a remote office. I will have a tunnel setup to connect back out other office which uses a PIX 501 also. At this point I am not conecerned about the VPN tunnel. Basically PC's that have 192.168.5.x address will use the tunnel and pc's that have 192.168.7.x address will simply be able to get onto the internet via the DSL that the PIX uses. The PIX has a static public ip address on the external interface. The internal interface has an ip of 192.168.5.1. I have one machine plugged into the pix with an ip of 192.168.7.50 subnet of 255.255.248.0 and a gw of 192.168.5.1. From this machine I try and ping anything on the internet and get request timed out. I also cannot surf. It was my understanding that PIX's allow all outbound traffic which really has me confused. So I told the inside computer to ping a linux box on the net back at my main office and watched. That linux box indeed get's the packet and replies back yet the internal host is not getting the reply. If I ssh onto the pix I can ping anything on the internet and it replies just fine. So somewhere on the pix something is stopping traffic and I have no idea what. I have tried adding some acess-list to no avail. I am new to this and would really appreciate any help. Here is my config.
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol http 80
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
access-list 80 permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 80 permit ip 192.168.5.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 50 permit icmp any any
access-list 50 permit icmp any any unreachable
access-list 50 permit icmp any any time-exceeded
access-list 50 permit icmp any any echo-reply
access-list 50 permit tcp any interface outside eq www
access-list 50 permit tcp any interface outside eq domain
access-list 50 permit icmp any any source-quench
access-list 50 permit icmp any any parameter-problem
The global command defines what IP address all outgoing packets will be PAT'd to. If you PAT them to the same address as your outside ADSL gateway, then when they return they'll be destined for that IP address, and the gateway will get them and think, "huh, what am I supposed to do with this", and drop it.
By using the keyword "interface" on the global command the PIX will PAT everything to it's own outside interface's IP address, so the reply's will come back to that IP address and the PIX will know to forward them on internally.
Remove your two "route inside ...." commands also, they're not needed and will just confuse things.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :