Basic PIX Interface Question

daniel.bowen · ‎10-04-2005

Hi Everyone,

My understanding of a general PIX config is to have the inside interface connected to your LAN and the outside interface connected to the "Internet". Now I have configured the NAT to translate my internat 192.168.x.x address to my routable address on the outside interface with the commands global(outside)X.X.X.X and NAT(inside)192.168.X.X and this all works fine. I have an access-list on my inside interface which permits icmp from any to any. My question is, how do I permit the reply to my pings through my outside interface? If I do not have an ACL on my outside interface permitting ICMP I cannot ping across from the inside to the outside - but I thought an ACL on my outside interface was a bad idea?

Any help would be great if you can understand my poor question!

Many thanks,

Dan

stschmidt · ‎10-05-2005

Take a look at this document it should help answer your questions:

http://www.cisco.com/warp/public/110/31.html#

jhaggett · ‎11-02-2005

Not sure if this has been answered or not, but, you do need to assign an access-list to the outside interface. You can do it a couple ways (icmp outside permit any any) or, create an access-list and bind it to the outside interface. You do need to bind an ACL to the outside interface to permit PAT thorugh to an inside server (web email etc), so:

access-list ACLNAME permit icmp any any

access-group ACLNAME in interface outside