Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 520 configure list,pls help me trouble shooting

with this config, I cann't ping 192.168.1.253,

the debug trace indicate:

192.168.10.101>212.99.175.60>192.168.1.253

how can I direct the traffic go to DMZ no go to outside.

following is my pix 520 6.0(1)'s config list

: Saved

:

PIX Version 6.0(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password --moderator edit-- encrypted

passwd --moderator edit-- encrypted

hostname Pix

domain-name Pix

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

no logging on

logging timestamp

logging console debugging

logging monitor debugging

logging buffered debugging

logging trap debugging

logging history debugging

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 212.99.175.51 255.255.255.240

ip address inside 192.168.10.254 255.255.255.0

ip address dmz 192.168.1.227 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address dmz 0.0.0.0

pdm history enable

arp dmz 192.168.1.253 0004.c13a.5080 alias

arp timeout 90

global (outside) 1 212.99.175.60

global (dmz) 1 192.168.1.220 netmask 255.255.255.255

nat (inside) 1 192.168.10.0 255.255.255.0 0 0

nat (dmz) 1 192.168.1.0 255.255.255.0 0 0

alias (inside) 192.168.1.221 212.99.175.61 255.255.255.255

static (dmz,outside) 212.99.175.61 192.168.1.221 netmask 255.255.255.255 0 0

conduit permit icmp any any

conduit permit tcp host 212.99.175.61 eq www any

conduit permit tcp host 212.99.175.61 eq pop3 any

conduit permit tcp host 212.99.175.61 eq smtp any

conduit permit tcp host 212.99.175.61 eq domain any

route outside 0.0.0.0 0.0.0.0 212.99.175.49 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt noproxyarp dmz

no sysopt route dnat

telnet 192.168.10.0 255.255.255.0 inside

telnet timeout 30

ssh timeout 5

terminal width 80

Cryptochecksum:5952c4f82490d2741ffb7b2e44

1 REPLY
New Member

Re: PIX 520 configure list,pls help me trouble shooting

Is there any reason your inside hosts can’t appear on the DMZ with there own addresses instead of the PAT assigned global? Try this if you can:

no global (dmz) 1 192.168.1.220 netmask 255.255.255.255

static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

wr mem

reload

Remember, anytime you add, changer or delte a nat and/or global it is best to wr mem/reload on the PIX. Now, test your ping again with debug running. Let me know if that helps.

211
Views
0
Helpful
1
Replies