PIX 501 wll not allow inbound traffic

Discussion in 'Cisco' started by PATCHES, Nov 2, 2006.

  1. PATCHES

    PATCHES Guest

    I am installing a pix 501 firewall and I cannot get the firewall to
    allow inbound traffic.

    I am able to access the internet via the inside interface but I cannot
    get it to allow inbound traffic.

    Here is the config I am using. Ahy help would be appreciated..

    When I install my static zlate command it knowks dow the translation
    going on for access to the internet for the inside users

    PIX Version 6.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password L2HsB35X542d86Zr encrypted
    passwd Pi/kr.ARFZeO1oIx encrypted
    hostname DDCI-AUSTIN
    domain-name m5corp.net
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names
    name 199.34.66.35 Mainframe
    name 10.0.0.0 PCI
    <--- More --->

    access-list inside_access_in permit icmp any any
    access-list inside_outbound_nat0_acl permit ip 199.34.67.0
    255.255.255.0 PCI 255.255.255.0
    access-list outside_cryptomap_20 permit ip 199.34.67.0 255.255.255.0
    PCI 255.255.255.0
    access-list 101 permit ip 199.34.67.0 255.255.255.0 172.17.2.0
    255.255.255.0
    access-list 101 permit ip any 172.17.2.0 255.255.255.0
    access-list 102 permit tcp any host 172.17.1.87
    access-list 102 permit icmp any any
    access-list 102 permit tcp any any
    access-list outside_cryptomap_dyn_30 permit ip any 172.17.2.0
    255.255.255.0
    access-list outside_cryptomap_dyn_20 permit ip any 172.17.2.0
    255.255.255.0
    pager lines 24
    logging timestamp
    logging monitor debugging
    logging buffered debugging
    logging history debugging
    interface ethernet0 10baset
    interface ethernet1 10full
    mtu outside 1500
    mtu inside 1500
    ip address outside 172.16.1.1 255.255.255.0
    ip address inside 172.16.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool pcivpn 172.17.2.1-172.17.2.255
    <--- More --->

    pdm location 199.34.67.2 255.255.255.255 inside
    pdm location 199.34.0.0 255.255.255.0 inside
    pdm location Mainframe 255.255.255.255 outside
    pdm location PCI 255.255.255.0 outside
    pdm location 199.34.67.0 255.255.255.0 inside
    pdm location 172.17.2.0 255.255.255.0 outside
    pdm logging debugging 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 101
    nat (inside) 1 199.34.67.0 255.255.255.0 0 0
    access-group 102 in interface outside
    route outside 0.0.0.0 0.0.0.0 199.34.64.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 199.34.0.0 255.255.255.0 inside
    http 199.34.67.0 255.255.255.0 inside
    no snmp-server location
    <--- More --->

    no snmp-server contact
    snmp-server community public
    snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    no sysopt route dnat
    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap client configuration address initiate
    crypto map mymap client configuration address respond
    crypto map mymap interface outside
    isakmp enable outside
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp identity address
    isakmp client configuration address-pool local pcivpn outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup pci1 address-pool pcivpn
    vpngroup pci1 dns-server 199.34.64.35
    vpngroup pci1 default-domain atchleysystems.com
    <--- More --->

    vpngroup pci1 split-tunnel 101
    vpngroup pci1 idle-time 1800
    telnet 199.34.0.0 255.255.255.0 inside
    telnet 199.34.67.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 60
    terminal width 80
    Cryptochecksum:d0840090439eb2e77793b87fdadf6a5e
    : end
    [OK]

    DDCI-AUSTIN#
     
    PATCHES, Nov 2, 2006
    #1
    1. Advertisements

  2. www.BradReese.Com, Nov 2, 2006
    #2
    1. Advertisements

  3. There are a bunch of security patches for that. You should be going up
    to 6.2(4) or something like that. The upgrade is free (as long as you
    are the registered owner)
    You can't use the same subnet on the inside and outside.

    Perhaps you don't really do that and you munged the line for posting
    purposes, but I'm not going to bother trying to debug a configuration
    which might have any number of mistakes in the munging.
     
    Walter Roberson, Nov 2, 2006
    #3
  4. PATCHES

    CK Guest

    Go through the following link and rectify all the issues which WALTER
    has posted ...
    http://www.cisco.com/en/US/products...configuration_guide_book09186a0080107ed1.html


    CK
     
    CK, Nov 5, 2006
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.