Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 501

I have a PIX that I thought ws successfully setup, but apparently not. I can ping outside resources from within the PIX by IP address only, I cannot ping by DNS name(maybe by design?). However, the server attached to the switch from the PIX cannot get beyond the PIX. The server CAN ping the private address assigned to the PIX and vise-versa, but no outside traffice. Below is my configuration. Any help would be appreciated.

PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password OLKvKRtWYoX8k0LJ encrypted

passwd Dx7ZLAkN9r0yT5Q6 encrypted

hostname pixfirewall

domain-name 4layout.net

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list inside_access_in permit ip 192.168.1.0 255.255.255.0 any

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside *ISP ASSIGNED IP* 255.255.255.128

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool pptp-pool 192.168.0.1-192.168.0.50

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 *ISP ASSIGNED 2nd IP*

nat (inside) 0 access-list inside_access_in

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 *ISP ASSIGNED GW* 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80

1 REPLY
New Member

Re: PIX 501

For basic inside to outside connections without yet configuring for outside to in access. eg. All out, none in.

remove:

nat (inside) 0 access-list inside_access_in

access-list inside_access_in permit ip 192.168.1.0 255.255.255.0 any

Change:

global (outside) 1 *ISP ASSIGNED 2nd IP*

to

global (outside) 1 interface

add:

access-list 101 icmp any any

access-group 101 in interface outside

for testing ping. ICMP packets must be permitted back in. All other traffic by default is permitted inside to out.

clear xlate then check following link

http://cisco.com/warp/customer/707/28.html

72
Views
0
Helpful
1
Replies