Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unable to ping out from LAN via PIX firewall

Hello,

I have the following setup.

host PC (192.168.9.3) -----> gateway (192.168.9.2) ----- Pix E1 (192.168.9.1)/Pix E0 (81.x.x.250) ------ Internet

The 192.168.9.2 gateway is a 3560 switch connected to the PIX. I can ping out to the Internet via IP from the PIX, but not via the host PC (192.168.9.3) on the LAN. PIX and gateway configs below. Am I missing something that's preventing me pinging out to the Internet from the internal LAN? Any advice is appreciated.

Many thanks,

Rob

PIX config

test-cal-pix01# sh run

: Saved

:

PIX Version 8.0(3)

!

hostname test-cal-pix01

enable password btf1YD.Vq7mE6vEA encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 81.x.x.250 255.255.255.240

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.9.1 255.255.255.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns domain-lookup outside

dns server-group BT_DNS

name-server 194.72.6.57

name-server 194.73.82.242

object-group network LOCAL_LAN

network-object 192.168.9.0 255.255.255.0

object-group service Internet_Services tcp

port-object eq www

port-object eq domain

port-object eq https

port-object eq ftp

port-object eq 8080

access-list ACLOUT extended permit tcp object-group LOCAL_LAN any object-group Internet_Services

access-list ACLOUT extended permit icmp object-group LOCAL_LAN any

access-list ACLOUT extended permit udp object-group LOCAL_LAN any eq domain

access-list ACLIN extended permit icmp any any echo-reply

access-list ACLIN extended permit icmp any any unreachable

access-list ACLIN extended permit icmp any any time-exceeded

pager lines 24

logging enable

logging buffered errors

logging trap notifications

mtu outside 1500

mtu inside 1500

no failover  

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group ACLIN in interface outside

access-group ACLOUT in interface inside

route outside 0.0.0.0 0.0.0.0 195.x.x.45 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!            

class-map inspection_default

match default-inspection-traffic

!            

!            

policy-map type inspect dns preset_dns_map

parameters  

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

!            

service-policy global_policy global

prompt hostname context

Cryptochecksum:c570240e1159a0f83d8ad2c67780deb0

: end        

Gateway config

Switch#sh run

Building configuration...

Current configuration : 1583 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Switch

!

enable password ###########

!

no aaa new-model

system mtu routing 1500

ip subnet-zero

!

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!        

vlan internal allocation policy ascending

!        

interface GigabitEthernet0/1

!        

interface GigabitEthernet0/2

description uplink to Cisco_PIX

switchport access vlan 9

!        

interface GigabitEthernet0/3

!        

interface GigabitEthernet0/4

!        

interface GigabitEthernet0/5

!        

interface GigabitEthernet0/6

!        

interface GigabitEthernet0/7

!        

interface GigabitEthernet0/8

!        

interface GigabitEthernet0/9

!        

interface GigabitEthernet0/10

!        

interface GigabitEthernet0/11

!        

interface GigabitEthernet0/12

!        

interface GigabitEthernet0/13

!        

interface GigabitEthernet0/14

!        

interface GigabitEthernet0/15

!        

interface GigabitEthernet0/16

!        

interface GigabitEthernet0/17

!        

interface GigabitEthernet0/18

!        

interface GigabitEthernet0/19

!        

interface GigabitEthernet0/20

!        

interface GigabitEthernet0/21

!        

interface GigabitEthernet0/22

!        

interface GigabitEthernet0/23

!        

interface GigabitEthernet0/24

switchport access vlan 9

!        

interface GigabitEthernet0/25

!        

interface GigabitEthernet0/26

!        

interface GigabitEthernet0/27

!        

interface GigabitEthernet0/28

!        

interface Vlan1

no ip address

!        

interface Vlan9

ip address 192.168.9.2 255.255.255.0

!        

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.9.1

ip route 192.168.9.0 255.255.255.0 192.168.9.1

ip http server

!        

!        

control-plane

!        

!        

line con 0

line vty 5 15

!        

end      

Switch#

1 REPLY

Re: Unable to ping out from LAN via PIX firewall

251
Views
0
Helpful
1
Replies
CreatePlease login to create content