Re: Simple (hopefully) PIX question

cjkelly · ‎04-16-2003

I have a PIX 525 for testing. If I go into monitor mode I can ping an IP on the LAN get to a tftp server and all is well. When I relaod - same IP same network connection - no connectivity.

confused??

There is absolutely NO config on teh PIX box it is wide open

anyone any ideas

jeff.roback · ‎04-16-2003

Keep in mind that unlike a router which defaults to letting all traffic in and out, the the Pix by default allows outbound web & other UDP/TCP traffic from inside to outside, but it won't allow ICMP traffic like "ping" or "traceroute" to return from the outside to the inside.

To Allow inside hosts to ping and traceroute outside hosts do:

access-list outside_list permit icmp any any echo-reply

access-list outside_list permit icmp any any time-exceeded

access-list outside_list permit icmp any any unreachable

access-list outside_list permit icmp any any source-quench

access-group outside_list in interface outside

Take a look at "testing Connectivity" at:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_61/config/bafwcfg.htm#997560

cjkelly · ‎04-17-2003

OK I will try (thanks for responding)

But I have another 525 with an alomost identical config (ip's are different) and it is allowing access - there are no access lists configured on the other one.

jdepies · ‎04-16-2003

One other thing you might want to check, is to see if either of your interfaces are shut down (it looks likes 6.3.1 comes this way by default - kinda silly).

type: show interface

and if its says administratively down, then you will need to run the:

interface

example:

interface e0 auto

command to remove it from being shutdown.

Hope this helps

Jeff

cjkelly · ‎04-17-2003

Thanks but I had checked that - the int is up