In article <p5idnRyi3ZIrWRvfRVn->,
Frank Angel <> wrote:
:I'm a newbie working with a hardware firewall and am lost getting a working
:configuration to where I can get response from the outside.
What kind of response?
:-->I've configured the outside interface Source to any and the destination
:inside source to 192.168.1.1.
? Configured where? This sounds sort of like an access-list
configuration but I'm having a bit of trouble following the meaning.
Is this something you configured on the Netopia?
:-->What else am I missing? What else needs to be configured.
How are you testing? If you are testing using ping then a
trick you need to know is that the PIX does not keep very good
state on icmp (which isn't a "connection-oriented" protocol),
so if you want to be able to get ping replies you often need to
explicitly configure the PIX outside ACL to permit incoming
icmp echo-reply .
You can also theoretically have problems with DNS, since DNS
is UDP and the PIX by default assumes that UDP that has not
had traffic for 2 minutes is finished and would automatically
close the translation. Thus, in some cases you may need to
explicitly configure the PIX outside ACL to permit incoming
messages with a source of udp 53 (DNS) and a destination of
udp 137 (NETBIOS), udp 53 (microsoft DNS client) or udp above 1023
(standard DNS clients.) In -practice- though, most DNS replies
are within about 70 seconds (there are 1 minute timeouts for
some operations) so -usually- the default of 2 minutes is okay.
What default route have you set on the PIX?
--
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec
|
Similar Threads
