Simple PIX 501 config

Discussion in 'Cisco' started by Matt Scoff, May 26, 2006.

  1. Matt Scoff

    Matt Scoff Guest

    I've had a lot of trouble getting my PIX configured the way I want it
    so I wanted to see if someone could help me configure it in a somewhat
    basic/ unrestrictive setting. Then I can verify it is working
    correctly and then use access-list's to restrict services later.

    Basic config: I have two PC's. One is connected to the outside port
    (eth0) and the other is connected to the inside port (eth1). I would
    like to be able to access any port from the inside PC to the outside
    PC. Most importantly ICMP/ping to verify the connectivity.

    Outside PC (172.31.13.1)
    :
    :
    Cisco Pix 501
    :
    :
    Inside PC (172.31.1.136)


    You can choose the eth0/eth1 ip address's because I am not certain
    what they should be. Also let me know if the subnet mask "255.255.0.0"
    needs to change on the PC's themselves.
    Thanks for your help. I'm still learning in my test environment.
    Matt Scoff, May 26, 2006
    #1
    1. Advertising

  2. "Matt Scoff" <> wrote in message
    news:...

    > Basic config: I have two PC's. One is connected to the outside port
    > (eth0) and the other is connected to the inside port (eth1). I would
    > like to be able to access any port from the inside PC to the outside
    > PC. Most importantly ICMP/ping to verify the connectivity.
    >


    kinda hard when we dont know you present config.
    but what you need is pretty simple.
    a global
    a nat
    a ACL permit icmp
    a ACL-group on the outside int.


    > Outside PC (172.31.13.1)
    > :
    > :
    > Cisco Pix 501
    > :
    > :
    > Inside PC (172.31.1.136)
    >
    >


    wow - mind you subnetmasks here !


    > You can choose the eth0/eth1 ip address's because I am not certain
    > what they should be. Also let me know if the subnet mask "255.255.0.0"
    > needs to change on the PC's themselves.


    YES !
    You can not have both interface in the same subnet.
    change subnetmasks to /24 = 255.255.255.0, also on the PIX config for inside
    and outside interfaces.


    > Thanks for your help. I'm still learning in my test environment.


    you may what to read the cisco config guides for the PIX.

    HTH
    Martin Bilgrav
    Martin Bilgrav, May 28, 2006
    #2
    1. Advertising

  3. Matt Scoff

    Matt Scoff Guest

    Thank you so much. I will see what I can get working. My present
    config is new, reset to factory defaults.

    My PC's need to be configured as 172.31.13.1 subnet 255.255.255.0 and
    172.31.1.136 255.255.255.0, correct?

    Outsude interface: 172.31.13.2 255.255.255.0
    Inside interface 172.31.1.1 255.255.255.0
    Correct?



    On Sun, 28 May 2006 13:13:51 +0200, "Martin Bilgrav"
    <> wrote:

    >
    >"Matt Scoff" <> wrote in message
    >news:...
    >
    >> Basic config: I have two PC's. One is connected to the outside port
    >> (eth0) and the other is connected to the inside port (eth1). I would
    >> like to be able to access any port from the inside PC to the outside
    >> PC. Most importantly ICMP/ping to verify the connectivity.
    >>

    >
    >kinda hard when we dont know you present config.
    >but what you need is pretty simple.
    >a global
    >a nat
    >a ACL permit icmp
    >a ACL-group on the outside int.
    >
    >
    >> Outside PC (172.31.13.1)
    >> :
    >> :
    >> Cisco Pix 501
    >> :
    >> :
    >> Inside PC (172.31.1.136)
    >>
    >>

    >
    >wow - mind you subnetmasks here !
    >
    >
    >> You can choose the eth0/eth1 ip address's because I am not certain
    >> what they should be. Also let me know if the subnet mask "255.255.0.0"
    >> needs to change on the PC's themselves.

    >
    >YES !
    >You can not have both interface in the same subnet.
    >change subnetmasks to /24 = 255.255.255.0, also on the PIX config for inside
    >and outside interfaces.
    >
    >
    >> Thanks for your help. I'm still learning in my test environment.

    >
    >you may what to read the cisco config guides for the PIX.
    >
    >HTH
    >Martin Bilgrav
    >
    Matt Scoff, May 30, 2006
    #3
  4. Matt Scoff

    Matt Scoff Guest

    Here is my configuration. I have turned on logging. When I try to ping
    172.31.13.2 (Server) from 172.31.4.136 (InsidePC) I receive the
    message "deny inbound icmp src outside: Server dst inside:172.31.13.2"

    I must be missing something.



    Building configuration...
    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pixfirewall
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 172.31.4.136 InsidePC
    name 172.31.13.1 Server
    access-list inside_access_in permit icmp interface inside interface
    outside
    access-list inside_access_in permit tcp interface inside interface
    outside
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 172.31.13.2 255.255.255.0
    ip address inside 172.31.4.10 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location InsidePC 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 InsidePC 255.255.255.255 0 0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group inside_access_in in interface inside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    Matt Scoff, May 30, 2006
    #4
  5. Matt Scoff

    Matt Scoff Guest

    This is what I was looking for:
    access-group inside_access_in in interface out

    Everything started working after that... I'm sure i'll have some more
    questions in the future, though.
    Matt Scoff, May 30, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Remco Bressers
    Replies:
    1
    Views:
    486
    Jyri Korhonen
    Nov 21, 2003
  2. Markus Heidfels

    A simple newbie question (Pix 501)

    Markus Heidfels, Dec 3, 2003, in forum: Cisco
    Replies:
    4
    Views:
    3,399
    Walter Roberson
    Dec 3, 2003
  3. Andre
    Replies:
    7
    Views:
    660
    Andre
    Feb 20, 2005
  4. VMS Guy
    Replies:
    1
    Views:
    488
    Megane
    Mar 24, 2006
  5. choc101
    Replies:
    5
    Views:
    5,612
    swapnendu
    Sep 25, 2006
Loading...

Share This Page