Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
315
Views
0
Helpful
4
Replies

Pix506E Not Forwarding

trippk
Level 1
Level 1

‎04-01-2003 07:14 AM - edited ‎03-09-2019 02:43 AM

I have a very simple problem. My Pix506e can ping everything on both sides of it, but my LAN side cannot get to anything on the WAN side of the PIX. I figured that my default route must be incorrect, but I followed the instructions correctly. Can someone please give me some advice on how to troubleshoot this please.

Thanks in advance,

Tripp Kuehnis

Just for your info on topology:

We have a Cisco Catalyst 3550 connected to the LAN port on the PIX 506E. We then have a Cisco Catalyst 2550 connected to the WAN port on the PIX. A Cisco 2950(I think - this router was put in by AT&T) is connected to a port on the Catalyst 2550 and gives access to the T-1 line.

Thanks Again!!

Labels:
0 Helpful
4 Replies 4

swatkins
Level 1
Level 1

‎04-01-2003 07:46 AM

Can you ping throught the Pix? Check the logs for incoming ICMP denies if you do not allow echo replies.

Are you using NAT on the Pix or is the router doing NAT for the network?

Really need to see the config!

0 Helpful

trippk
Level 1
Level 1
In response to swatkins

‎04-01-2003 08:00 AM

I cannot ping through the router, although I have allowed all Ping packets through. I am using NAT on the PIX, but the router is not.

Here is the config in a nutshell - I am typing it in myself so please forgive spelling errors or missing password entries

PIX version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password

passwd

hostname Firewall

doamin-name

fixup protocol ftp 21

fixup protocol http80 (There are a few other fixups here)

names

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 12.25.184.131 255.255.255.192

ip address inside 192.168.168.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

nat (inside) 1 192.168.168.0 255.255.255.0 0 0

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 12.25.184.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.168.250 255.255.255.255 inside

http 192.168.168.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal widtrh 80

Cryptochecksum

; end

0 Helpful

mhussein
Level 4
Level 4
In response to trippk

‎04-01-2003 11:30 AM

You need at least one of:

global (outside) 1 12.25.184.1x

or

static (inside,outside) 12.25.184.1x 192.168.168.x

for the firewall to allow inside hosts to establich connections to the outside.

HTH

Mustafa

0 Helpful

minoc
Level 1
Level 1
In response to trippk

‎04-22-2003 11:00 AM

ICMP outbound will be permitted by default on the Pix, but reply packet must be permitted with the use of conduits or ACL's. You also will need to define static translation for any inside host requiring pings and traceroute.

Regards,

Carlos Roque

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents