Cisco Pix Basic Config Pix wont route between inside int and outside help?

Discussion in 'Cisco' started by AJ, Oct 30, 2003.

  1. AJ

    AJ Guest

    Please help a newbie out Here is my config I dont want to do nat or
    pat I have all routable IP's I am only using this box as a permit-deny
    firewall. For some reason with this config I can not ping or pass
    traffic through the box. from the router to the pix I can pin only to
    the pix wan int or e0 and not clean through to the e1 on the pix and
    from the Cable CMTS unit attached to the pix e1 int I can only ping to
    the pix e1 int and not to the pix e0. Hope this isnt to confusing
    bassically the pix is not passing traffic through the e0 to e1 int.
    here is the config thanks.

    Adrian

    Written by enable_15 at 05:01:29.032 MST Wed Oct 29 2003
    PIX Version 6.3(3)
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet2 100full
    interface ethernet3 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 intf2 security10
    nameif ethernet3 intf3 security6
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pixfirewall
    domain-name CMCMD
    clock timezone MST -7
    clock summer-time MDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list ping_acl permit icmp any any
    access-list acl_out permit icmp any any
    pager lines 24
    logging on
    logging buffered debugging
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    mtu intf3 1500
    ip address outside 65.38.147.102 255.255.255.248
    ip address inside 65.38.147.105 255.255.255.248
    no ip address intf2
    no ip address intf3
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address intf2
    no failover ip address intf3
    pdm location 65.38.147.104 255.255.255.248 inside
    pdm history enable
    arp timeout 14400
     
    AJ, Oct 30, 2003
    #1
    1. Advertising

  2. In article <>,
    AJ <> wrote:
    :please help a newbie out Here is my config I dont want to do nat or
    :pat I have all routable IP's I am only using this box as a permit-deny
    :firewall. For some reason with this config I can not ping or pass
    :traffic through the box. from the router to the pix I can pin only to
    :the pix wan int or e0 and not clean through to the e1 on the pix and
    :from the Cable CMTS unit attached to the pix e1 int I can only ping to
    :the pix e1 int and not to the pix e0. Hope this isnt to confusing
    :bassically the pix is not passing traffic through the e0 to e1 int.
    :here is the config thanks.

    :pIX Version 6.3(3)
    :ip address outside 65.38.147.102 255.255.255.248
    :ip address inside 65.38.147.105 255.255.255.248

    The PIX will not pass traffic unless you have established a translation.

    If you want each IP to represent itself, you can use
    nat (inside) 0 65.38.147.104 255.255.255.248
    if you do NOT want to permit new connections to the inside. This
    nat's each address to itself.

    Or you can use
    access-list no-nat permit ip 65.38.147.104 255.255.255.248 any
    nat (inside) 0 access-list no-nat
    This "turns off" NAT (ports go out unchanged) and has the side effect
    of permitting incoming connections. Proxy arp is NOT done for this form.


    Thirdly, you can use
    static (inside, outside) 65.38.147.104 65.38.147.104 netmask 255.255.255.248
    which also has the side effect of permitting incoming connections.
    Proxy arp IS normally done for this form.

    *Usually* you would use static instead of nat 0 access-list if you
    want to permit incoming connections, but there is no firm rule.
    You would normally use the nat 0 access-list form in connection with
    VPN tunnels. Also note that the nat 0 access-list form applies to
    all interfaces, whereas static applies only to the interfaces you name.
    --
    I don't know if there's destiny,
    but there's a decision! -- Wim Wenders (WoD)
     
    Walter Roberson, Oct 30, 2003
    #2
    1. Advertising

  3. AJ

    Johnny Bravo Guest

    (AJ) wrote in message news:<>...
    > Please help a newbie out Here is my config I dont want to do nat or
    > pat I have all routable IP's I am only using this box as a permit-deny
    > firewall. For some reason with this config I can not ping or pass
    > traffic through the box. from the router to the pix I can pin only to
    > the pix wan int or e0 and not clean through to the e1 on the pix and
    > from the Cable CMTS unit attached to the pix e1 int I can only ping to
    > the pix e1 int and not to the pix e0. Hope this isnt to confusing
    > bassically the pix is not passing traffic through the e0 to e1 int.
    > here is the config thanks.
    >
    > Adrian



    Adrian: I am curious, is there a reason you don't want to use a
    private IP space with static mapping to outside, for your machines
    behind the PIX (besides the obvious pain of having to renumber your
    machine)?
     
    Johnny Bravo, Oct 31, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jeff
    Replies:
    2
    Views:
    809
  2. Dan Rice
    Replies:
    9
    Views:
    969
    Dan Rice
    Feb 4, 2005
  3. Dave
    Replies:
    4
    Views:
    5,329
  4. Yogz
    Replies:
    1
    Views:
    3,222
  5. Jack
    Replies:
    0
    Views:
    742
Loading...

Share This Page