Re: PIX 501 configuration headache

Discussion in 'Cisco' started by Shawn Westerhoff, Oct 15, 2003.

  1. I would keep my static lines one-to-one until you get it to work,
    usually I start with a clean config and stay away from PDM!

    Get rid of the access-list inside, add that later if you need to
    restrict outbound. Keep the config simple, getting the initial static
    (in,out) configs to work should not be hard as they do not use NAT or
    GLOBAL, the config should start VERY SIMPLE:

    ip address outside 199.xxx.yyy.230 255.255.255.0
    ip address inside 192.168.1.1 255.255.255.0
    static (inside,outside) 199.xxx.yyy.251 192.168.1.251 netmask
    255.255.255.255 0 0
    access-list outside_access_in permit icmp any any
    access-list outside_access_in permit tcp any host 199.xxx.yyy.251 eq
    POP3
    access-list outside_access_in permit tcp any host 199.xxx.yyy.251 eq
    WWW
    access-list outside_access_in permit tcp any host 199.xxx.yyy.251 eq
    SMTP
    access-group outside_access_in in interface outside
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    build it from there.

    -Shawn Westerhoff



    (Jon Brookins) wrote in message news:<>...
    > Can anyone take a look at this config and tell me why one machine
    > (IO_Inside) can be hit properly, and get out to the internet properly,
    > but when I put another machine (Callisto_Inside) behind the PIX it can
    > neither get traffic nor hit internet sites. I'm stumped, as it seems
    > like a straight forward static configuration. Thanks for any ideas,
    > as I am going steadily crazy over this.
    >
    > Jon Brookins
    > PNMN
    > ----- configuration below ------
    > : Written by enable_15 at 14:56:50.214 UTC Mon Oct 13 2003
    > PIX Version 6.2(2)
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password 8Ry2YjIyt7RRXU24 encrypted
    > passwd 2KFQnbNIdI.2KYOU encrypted
    > hostname xxxxx
    > domain-name xxxx.com
    > fixup protocol ftp 21
    > fixup protocol http 80
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol sip 5060
    > fixup protocol skinny 2000
    > names
    > name 192.168.1.251 IO_Inside
    > name 199.xxx.yyy.0 PNMICOM
    > name 192.168.1.254 Callisto_Inside
    > access-list outside_access_in permit ip PNMICOM 255.255.255.0 any
    > access-list outside_access_in permit icmp any any time-exceeded
    > access-list outside_access_in permit icmp any any echo-reply
    > access-list outside_access_in permit icmp any any echo
    > access-list outside_access_in permit udp any host 199.xxx.yyy.254 eq
    > domain
    > access-list outside_access_in permit tcp any host 199.xxx.yyy.254 eq
    > smtp
    > access-list outside_access_in permit tcp any host 199.xxx.yyy.254 eq
    > pop3
    > access-list outside_access_in permit tcp any host 199.xxx.yyy.254 eq
    > www
    > access-list outside_access_in permit tcp any host 199.xxx.yyy.254 eq
    > domain
    > access-list outside_access_in permit tcp any host 199.xxx.yyy.251 eq
    > www
    > access-list outside_access_in permit tcp any host 199.xxx.yyy.251 eq
    > ftp
    > access-list inside_access_in permit ip any any
    > pager lines 24
    > logging on
    > interface ethernet0 10baset
    > interface ethernet1 10full
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside 199.xxx.yyy.230 255.255.255.0
    > ip address inside 192.168.1.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > pdm location IO_Inside 255.255.255.255 inside
    > pdm location Callisto_Inside 255.255.255.255 inside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) 199.xxx.yyy.251 IO_Inside netmask
    > 255.255.255.255 0 0
    > static (inside,outside) 199.xxx.yyy.254 Callisto_Inside netmask
    > 255.255.255.255 0 0
    > access-group outside_access_in in interface outside
    > access-group inside_access_in in interface inside
    > route outside 0.0.0.0 0.0.0.0 199.xxx.yyy.1 1
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    > 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > http server enable
    > http 192.168.1.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > no sysopt route dnat
    > telnet timeout 5
    > ssh timeout 5
    > dhcpd address 192.168.1.2-192.168.1.33 inside
    > dhcpd lease 3600
    > dhcpd ping_timeout 750
    > dhcpd auto_config outside
    > terminal width 80
     
    Shawn Westerhoff, Oct 15, 2003
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tin Ngo-Minh

    Sp2 + wifi: new headache

    Tin Ngo-Minh, Nov 13, 2004, in forum: Wireless Networking
    Replies:
    2
    Views:
    670
  2. Andre
    Replies:
    7
    Views:
    771
    Andre
    Feb 20, 2005
  3. 05hammer

    ACL Headache

    05hammer, May 16, 2005, in forum: Cisco
    Replies:
    5
    Views:
    1,951
  4. Boris Badenuff

    Slackware 7.0 FIPS headache

    Boris Badenuff, Jul 22, 2003, in forum: Computer Support
    Replies:
    6
    Views:
    797
    Boris Badenuff
    Jul 24, 2003
  5. Darren

    PIX 6.3(5) NAT Headache

    Darren, Apr 24, 2008, in forum: Cisco
    Replies:
    1
    Views:
    657
    networkzman
    Apr 25, 2008
Loading...

Share This Page