04-01-2003 07:14 AM - edited 03-09-2019 02:43 AM
I have a very simple problem. My Pix506e can ping everything on both sides of it, but my LAN side cannot get to anything on the WAN side of the PIX. I figured that my default route must be incorrect, but I followed the instructions correctly. Can someone please give me some advice on how to troubleshoot this please.
Thanks in advance,
Tripp Kuehnis
Just for your info on topology:
We have a Cisco Catalyst 3550 connected to the LAN port on the PIX 506E. We then have a Cisco Catalyst 2550 connected to the WAN port on the PIX. A Cisco 2950(I think - this router was put in by AT&T) is connected to a port on the Catalyst 2550 and gives access to the T-1 line.
Thanks Again!!
04-01-2003 07:46 AM
Can you ping throught the Pix? Check the logs for incoming ICMP denies if you do not allow echo replies.
Are you using NAT on the Pix or is the router doing NAT for the network?
Really need to see the config!
04-01-2003 08:00 AM
I cannot ping through the router, although I have allowed all Ping packets through. I am using NAT on the PIX, but the router is not.
Here is the config in a nutshell - I am typing it in myself so please forgive spelling errors or missing password entries
PIX version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname Firewall
doamin-name
fixup protocol ftp 21
fixup protocol http80 (There are a few other fixups here)
names
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 12.25.184.131 255.255.255.192
ip address inside 192.168.168.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 1 192.168.168.0 255.255.255.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 12.25.184.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.168.250 255.255.255.255 inside
http 192.168.168.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal widtrh 80
Cryptochecksum
; end
04-01-2003 11:30 AM
You need at least one of:
global (outside) 1 12.25.184.1x
or
static (inside,outside) 12.25.184.1x 192.168.168.x
for the firewall to allow inside hosts to establich connections to the outside.
HTH
Mustafa
04-22-2003 11:00 AM
ICMP outbound will be permitted by default on the Pix, but reply packet must be permitted with the use of conduits or ACL's. You also will need to define static translation for any inside host requiring pings and traceroute.
Regards,
Carlos Roque
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: