Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Re: PIX 501 configuration headache

Reply
Thread Tools

Re: PIX 501 configuration headache

 
 
Shawn Westerhoff
Guest
Posts: n/a
 
      10-14-2003
I would keep my static lines one-to-one until you get it to work,
usually I start with a clean config and stay away from PDM!

Get rid of the access-list inside, add that later if you need to
restrict outbound. Keep the config simple, getting the initial static
(in,out) configs to work should not be hard as they do not use NAT or
GLOBAL, the config should start VERY SIMPLE:

ip address outside 199.xxx.yyy.230 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
static (inside,outside) 199.xxx.yyy.251 192.168.1.251 netmask
255.255.255.255 0 0
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host 199.xxx.yyy.251 eq
POP3
access-list outside_access_in permit tcp any host 199.xxx.yyy.251 eq
WWW
access-list outside_access_in permit tcp any host 199.xxx.yyy.251 eq
SMTP
access-group outside_access_in in interface outside
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

build it from there.

-Shawn Westerhoff



http://www.velocityreviews.com/forums/(E-Mail Removed) (Jon Brookins) wrote in message news:<(E-Mail Removed). com>...
> Can anyone take a look at this config and tell me why one machine
> (IO_Inside) can be hit properly, and get out to the internet properly,
> but when I put another machine (Callisto_Inside) behind the PIX it can
> neither get traffic nor hit internet sites. I'm stumped, as it seems
> like a straight forward static configuration. Thanks for any ideas,
> as I am going steadily crazy over this.
>
> Jon Brookins
> PNMN
> ----- configuration below ------
> : Written by enable_15 at 14:56:50.214 UTC Mon Oct 13 2003
> PIX Version 6.2(2)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password 8Ry2YjIyt7RRXU24 encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> hostname xxxxx
> domain-name xxxx.com
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> names
> name 192.168.1.251 IO_Inside
> name 199.xxx.yyy.0 PNMICOM
> name 192.168.1.254 Callisto_Inside
> access-list outside_access_in permit ip PNMICOM 255.255.255.0 any
> access-list outside_access_in permit icmp any any time-exceeded
> access-list outside_access_in permit icmp any any echo-reply
> access-list outside_access_in permit icmp any any echo
> access-list outside_access_in permit udp any host 199.xxx.yyy.254 eq
> domain
> access-list outside_access_in permit tcp any host 199.xxx.yyy.254 eq
> smtp
> access-list outside_access_in permit tcp any host 199.xxx.yyy.254 eq
> pop3
> access-list outside_access_in permit tcp any host 199.xxx.yyy.254 eq
> www
> access-list outside_access_in permit tcp any host 199.xxx.yyy.254 eq
> domain
> access-list outside_access_in permit tcp any host 199.xxx.yyy.251 eq
> www
> access-list outside_access_in permit tcp any host 199.xxx.yyy.251 eq
> ftp
> access-list inside_access_in permit ip any any
> pager lines 24
> logging on
> interface ethernet0 10baset
> interface ethernet1 10full
> mtu outside 1500
> mtu inside 1500
> ip address outside 199.xxx.yyy.230 255.255.255.0
> ip address inside 192.168.1.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm location IO_Inside 255.255.255.255 inside
> pdm location Callisto_Inside 255.255.255.255 inside
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) 199.xxx.yyy.251 IO_Inside netmask
> 255.255.255.255 0 0
> static (inside,outside) 199.xxx.yyy.254 Callisto_Inside netmask
> 255.255.255.255 0 0
> access-group outside_access_in in interface outside
> access-group inside_access_in in interface inside
> route outside 0.0.0.0 0.0.0.0 199.xxx.yyy.1 1
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> http server enable
> http 192.168.1.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> no sysopt route dnat
> telnet timeout 5
> ssh timeout 5
> dhcpd address 192.168.1.2-192.168.1.33 inside
> dhcpd lease 3600
> dhcpd ping_timeout 750
> dhcpd auto_config outside
> terminal width 80

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 6.3(5) NAT Headache Darren Cisco 1 04-25-2008 08:26 AM
Cisco pix 501 vs 501-50 cdoc Cisco 6 05-20-2006 03:53 AM
PIX 501 <-> PIX 501 - Problem contating private networks on the inside Andre Cisco 7 02-20-2005 07:02 PM
PIX 501 configuration help: T1 with IP range Brian P Flounders Cisco 0 06-07-2004 01:58 PM
Re: (newbie) PIX-501 Configuration scripts Walter Roberson Cisco 1 02-05-2004 09:26 PM



Advertisments