can't get a PIX 515 to work

Discussion in 'Cisco' started by B Squared, May 21, 2005.

  1. B Squared

    B Squared Guest

    All,

    I hate to be the whiner, but I haven't been able to get traffic
    any traffic of any kind to cross between the inside and outside
    interfaces of my PIX 515. From inside the PIX and can ping out to
    hosts beyond both interfaces. And from hosts on either side, and
    can ping the respective interface. But I can't get tcp, or any
    other traffic to across the firewall. I've included the entire
    configuration, which from what I can tell, is totally vanilla
    and straight from the Cisco website tutorials. I've been fighting
    this for two days, so I'm sort of losing my religion on this.

    Any suggestions are much appreciated.

    --------------------------------------------

    PIX Version 6.3(4)

    interface ethernet0 auto
    interface ethernet1 auto

    nameif ethernet0 outside security0
    nameif ethernet1 inside security100

    hostname pixfirewall

    domain-name xxxxxx.xxx

    ! the standard fixup protocols
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69

    names
    pager lines 24

    mtu outside 1500
    mtu inside 1500

    ip address outside xxx.xxx.50.14 255.255.255.0
    ip address inside xxx.xxx.65.193 255.255.255.224 !! a small subnet

    ip audit info action alarm
    ip audit attack action alarm

    pdm history enable

    arp timeout 14400

    ! not using NAT
    nat (inside) 0 0.0.0.0 0.0.0.0 0 0
    ! I've also attempted a static route here, but to no avail

    !default route
    route outside 0.0.0.0 0.0.0.0 xxx.xxx.50.4 1

    ! use the default timeouts
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00 !! the newsgroup editor wraps this line
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute

    ! again, the defaults
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local

    ! allow icmp for some short term debugging
    access-list ping_ok permit icmp any any
    access-group ping_ok in interface inside

    ! the pdm/web interface
    http server enable
    http 192.168.1.0 255.255.255.0 inside

    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps

    floodguard enable

    telnet timeout 5
    ssh timeout 5
    console timeout 0

    terminal width 80

    ------------------------------

    Like I said, this seems totally vanilla to me.

    Thanks in advance for any help.

    B Squared
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Reserving judgements is a matter of infinite hope.
    -- F. Scott Fitzgerald, _The Great Gatsby_
    B Squared, May 21, 2005
    #1
    1. Advertising

  2. B Squared

    KR Guest

    "B Squared" wrote:
    >
    > I hate to be the whiner, but I haven't been able to get traffic
    > any traffic of any kind to cross between the inside and outside
    > interfaces of my PIX 515. From inside the PIX and can ping out to
    > hosts beyond both interfaces. And from hosts on either side, and
    > can ping the respective interface. But I can't get tcp, or any
    > other traffic to across the firewall.

    [snip]
    > ! allow icmp for some short term debugging
    > access-list ping_ok permit icmp any any
    > access-group ping_ok in interface inside


    All access lists have an implicit "deny all" at the end. Your list
    effectively blockes all traffic except icmp from entering the "inside"
    interface.
    KR, May 21, 2005
    #2
    1. Advertising

  3. You need to permit something, not just ICMP. Your ACL is permiting ICMP
    and nothing else.
    arturo.servin, May 21, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter
    Replies:
    7
    Views:
    3,988
    Tim Levy
    Aug 29, 2004
  2. Scott Townsend
    Replies:
    8
    Views:
    692
    Roman Nakhmanson
    Feb 22, 2006
  3. Scott Townsend
    Replies:
    2
    Views:
    2,298
    Scott Townsend
    Feb 21, 2006
  4. Scott Townsend
    Replies:
    0
    Views:
    700
    Scott Townsend
    Jul 24, 2006
  5. Stephen M
    Replies:
    1
    Views:
    647
    mcaissie
    Nov 14, 2006
Loading...

Share This Page