Thanks for your answer.

I ersed the configuration I configurated it again, but I still have the same problem that I can't go to the exterior from the inside.

I have a dsl router with ethernet 0 192.168.200.251 , I have a FTP server with the IP 192.168.200.126 and this is the configuration of the PIX

pixfirewall# sh run

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list devping permit icmp any any

access-list devping permit ip host 192.168.2.123 any

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 192.168.2.253 255.255.255.0

ip address inside 192.168.200.125 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.6.2.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 192.168.2.200 192.168.200.126 netmask 255.255.255.255 0

0

access-group devping in interface outside

route inside 0.0.0.0 0.0.0.0 192.168.200.251 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.200.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.200.14 255.255.255.255 inside

telnet timeout 20

ssh timeout 5

terminal width 80

From the PIX I can ping to 198.133.219.25 (www.cisco.com) but from any pc (192.168.200.14 for example) I can't.

Can you help me?

Other thing, can you tell me how a PC of the LAN outside (192.168.2.123 for example) could go anywhere to the LAN inside?

Because I used the command static (inside,outside) 192.168.2.200 192.168.200.126 netmask 255.255.255.255 0 0 but with this I only can reach the FTP server and I want to go anywhere.

Thanks in advance

Hi,

what is the default gateway of the inside pc's. If it is the inside ipaddress of the pix, then it won't work. Because when a packet (going to the internet) from an inside pc arrrives at the pix's inside interface, it has to come out of the pix on the same interface. The pix does not allow this.

Can I ask you why the internet connection (dsl router) is located at the inside? This way the pix will not be able to protect your inside network.

Kind Regards,

Tom

I use this PIX to separate two networks. The pc's that are in the inside interface can go to internet and too to pc' of the outside interface.

However the pc's in the outside interface can't go to the pc's of the inside (well only one pc can).

I tried to put a router in the in the hub where are the pc's of the outside interface with ethernet 0: 192.168.2.254 and serial 1: 10.10.10.2, and in the PIX I have append route outside 10.10.10.0 255.255.255.0 192.168.2.254.

The from the PIX I can reach the 10.10.10.2 but I can from a pc.

If a packet arrives at one pix's interface, couldn't it to come out of the pix on the same interface?

Then why are static routes?

Thanks in advance

Hi,

is it possible to give a brief overview of the setup you are trying to achieve?

If all hosts on the outside (insecure) network has to be able to access the inside (secure)network, what's the point then for using a pix? Or am I mistaken?

The pix has limited routing functionalities, it just doesn't allow packets to go out on the same interface. The static routes are there for packets that go through the pix.

Kind Regards,

Tom

Thanks for your asnwer, I didn't know that the static routes are only for packets that go through the pix.

Then for the pc's that are on the inside interface I must put your gateway as the ethernet0 of the dsl router and in this router put a static route to the network of the pc's of the outside interface, musn't I?

This PIX will be used to separate two networks, the 192.168.2.0 (on the outside) and the 192.168.200.0 (on the inside).

The pc's on the inside can go to the pc's on the outside and too can go to internet (going to the dsl router).

Obviously the pc's on the outside interface can't go to the pc's on the inside interface (except one pc of one administrator). Because of this I think that I have to put this:

static (inside,outside) 192.168.200.0 192.168.200.0 netmask 255.255.255.255 0 0

access-list devping permit ip host 192.168.2.X any

access-group devping in interface outside

haven't I?

Can you tell if is it correct?

Many thanks, I have to install this PIX on Monday, I hope that all work

Hi,

thanks for explaining your setup. It's a lot clearer me right now :-)

There is an error at the static command you provided. Since you are static translating an entire subnet, you have to use a different subnetmask. It should be like this:

static (inside,outside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0 0 0

But I still find it some strange setup. The dsl router to the internet is on the inside, so you trust the internet, but you don't trust the users on the 192.168.2.0 network. Or am I mistaken here? Isn't it more logical to put the

dsl router at the outside interface?

Kind Regards,

Tom

Yes it's strange but is that the client have told me about your network.

Maybe the dsl router is for a point to point connection with other office, I don't know yet, but I have done the configuration of the PIX like if the router will be used for Internet.

Anyway, now I'm home and I'm triying with the PIX with the help of my desktop and my laptop.

I put this command :static (inside,outside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0 0 0 and I think that all work well, ( As at home I don't have any router I don't know if I could go to internet from a pc of the outside interface, but you told me that the static routes are valid only for the trafic that go through the PIX I suppose that in the client network will work, I hope)

I think that this order ( static (inside,outside) ......) does the same that:

global (outside) 1 interface

nat (inside) 1 0 0

doesn't it?

Best regards

Hi,

static (inside,outside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0 0 0

does not the same as:

global (outside) 1 interface

nat (inside) 1 0 0

With the global/nat commands in place, your inside network is hidden behind the ip address of the outside interface of the pix. The source addresses of packets going from the inside to the outside are replaced with the ip address of the outside interface of the pix. This is what we call PAT = port address translation.

Kind Regards,

Tom

Thanks for your help, now I understand.

This was the first time that i had seen a PIX and I had to configure it in a couple of days.

Anyway, then I could go to internet from a pc of the outside interface (administrator pc), because you told me that the static routes are valid only for the trafic that go through the PIX, don't you?

And the pc's of the inside interface must have as gateway the IP of the router in order to go to Internet, musn't they?

Many thanks

Hi,

you are right. Since the pix does not allow/route traffic coming out of the same interface it came in, you will have to define the ip address of the router as the default gateway for your inside pc's.

Kind Regards,

Tom