«

I've had a lot of trouble getting my PIX configured the way I want it
so I wanted to see if someone could help me configure it in a somewhat
basic/ unrestrictive setting. Then I can verify it is working
correctly and then use access-list's to restrict services later.

Basic config: I have two PC's. One is connected to the outside port
(eth0) and the other is connected to the inside port (eth1). I would
like to be able to access any port from the inside PC to the outside
PC. Most importantly ICMP/ping to verify the connectivity.

Outside PC (172.31.13.1)
:
:
Cisco Pix 501
:
:
Inside PC (172.31.1.136)


You can choose the eth0/eth1 ip address's because I am not certain
what they should be. Also let me know if the subnet mask "255.255.0.0"
needs to change on the PC's themselves.
Thanks for your help. I'm still learning in my test environment.

"Matt Scoff" <> wrote in message
news:...

> Basic config: I have two PC's. One is connected to the outside port
> (eth0) and the other is connected to the inside port (eth1). I would
> like to be able to access any port from the inside PC to the outside
> PC. Most importantly ICMP/ping to verify the connectivity.
>

kinda hard when we dont know you present config.
but what you need is pretty simple.
a global
a nat
a ACL permit icmp
a ACL-group on the outside int.


> Outside PC (172.31.13.1)
> :
> :
> Cisco Pix 501
> :
> :
> Inside PC (172.31.1.136)
>
>

wow - mind you subnetmasks here !


> You can choose the eth0/eth1 ip address's because I am not certain
> what they should be. Also let me know if the subnet mask "255.255.0.0"
> needs to change on the PC's themselves.

YES !
You can not have both interface in the same subnet.
change subnetmasks to /24 = 255.255.255.0, also on the PIX config for inside
and outside interfaces.


> Thanks for your help. I'm still learning in my test environment.

you may what to read the cisco config guides for the PIX.

HTH
Martin Bilgrav

Thank you so much. I will see what I can get working. My present
config is new, reset to factory defaults.

My PC's need to be configured as 172.31.13.1 subnet 255.255.255.0 and
172.31.1.136 255.255.255.0, correct?

Outsude interface: 172.31.13.2 255.255.255.0
Inside interface 172.31.1.1 255.255.255.0
Correct?



On Sun, 28 May 2006 13:13:51 +0200, "Martin Bilgrav"
<> wrote:

>
>"Matt Scoff" <> wrote in message
>news:.. .
>
>> Basic config: I have two PC's. One is connected to the outside port
>> (eth0) and the other is connected to the inside port (eth1). I would
>> like to be able to access any port from the inside PC to the outside
>> PC. Most importantly ICMP/ping to verify the connectivity.
>>
>
>kinda hard when we dont know you present config.
>but what you need is pretty simple.
>a global
>a nat
>a ACL permit icmp
>a ACL-group on the outside int.
>
>
>> Outside PC (172.31.13.1)
>> :
>> :
>> Cisco Pix 501
>> :
>> :
>> Inside PC (172.31.1.136)
>>
>>
>
>wow - mind you subnetmasks here !
>
>
>> You can choose the eth0/eth1 ip address's because I am not certain
>> what they should be. Also let me know if the subnet mask "255.255.0.0"
>> needs to change on the PC's themselves.
>
>YES !
>You can not have both interface in the same subnet.
>change subnetmasks to /24 = 255.255.255.0, also on the PIX config for inside
>and outside interfaces.
>
>
>> Thanks for your help. I'm still learning in my test environment.
>
>you may what to read the cisco config guides for the PIX.
>
>HTH
>Martin Bilgrav
>

Here is my configuration. I have turned on logging. When I try to ping
172.31.13.2 (Server) from 172.31.4.136 (InsidePC) I receive the
message "deny inbound icmp src outside: Server dst inside:172.31.13.2"

I must be missing something.



Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.31.4.136 InsidePC
name 172.31.13.1 Server
access-list inside_access_in permit icmp interface inside interface
outside
access-list inside_access_in permit tcp interface inside interface
outside
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.31.13.2 255.255.255.0
ip address inside 172.31.4.10 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location InsidePC 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 InsidePC 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+

This is what I was looking for:
access-group inside_access_in in interface out

Everything started working after that... I'm sure i'll have some more
questions in the future, though.