Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Basic setup

Status
Not open for further replies.
dpellegrini

dpellegrini

MIS
May 15, 2000
245
US
Having problems with the basic config on PIX515. I set it up as the config guide explains, but the inside and the outside address wont see each other.
inside 192.168.1.1 255.255.255.0
outside (public)xxx.xxx.xxx.xxx 255.255.255.0
outide can ping the router and everywhere else.
Inside can ping the node attached to that side (only 1, testing before going live). From the PIX terminal I am unable to ping from the inside address to the outside and vise versa. What am I missing. I covered the setup from the manual, but haven't identified what's missing.
Thx

Domenick Pellegrini
dpellegrini@yahoo.com

 
Sort by date Sort by votes
I would also like help with the same problem. Cisco support advised to create a static (inside) xxx.xxx.14.0 xxx.xxx.14.0 netmask xxx.xxx.xxx.xxx. This did not solve the problem.

I've pasted a copy of my config file:
Building configuration...
: Saved
:
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password b1bl7I8rH9BR1W9D encrypted
passwd yruhere99yruhere encrypted
hostname xxxxxxxx
domain-name xxxxxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list ping_acl permit icmp any any
pager lines 24
logging buffered alerts
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
icmp permit any echo-reply outside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside xxx.xxx.1.104 255.255.255.xxx
ip address inside xxx.xxx.14.1 255.255.255.xxx
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.105 netmask 255.255.255.0
nat (outside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xxx.xxx.14.0 xxx.xxx.14.0 netmask 255.255.255.248 0 0
access-group ping_acl in interface outside
access-group ping_acl in interface inside
conduit permit tcp any any
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http xxx.xxx.4.13 255.255.255.255 inside
http xxx.xxx.14.13 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:57e9beab1b2643898e2ff8c71d41726c
: end
[OK]
 
Upvote 0 Downvote
HI.

Few notes about your configuration:

***
conduit permit tcp any any

Combining CONDUIT and ACL in same config is not a good idea.


***
nat (outside) 1 0.0.0.0 0.0.0.0 0 0

This command has nothing to do.


***
global (outside) 1 192.168.1.105 netmask 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

You seem to be using private IP addresses in the outside.
If you're connecting to an Intranet, that's ok.
If you're doing NAT/PAT on the router connecting you to the Internet, this scenario will poss some problems for you and is dificult to support.
You will probably encounter problems with VPN, and other issues.


***
ip address outside xxx.xxx.1.104 255.255.255.xxx
static (inside,outside) xxx.xxx.14.0 xxx.xxx.14.0 netmask

This is probably your problem.
It does not conform to basic TCP/IP rules.
Maybe you intended to put this line:
static (inside,outside) xxx.xxx.1.0 xxx.xxx.14.0 netmask ...
??

If you want to use the same IP "inside" and "outside", you should also use the nat 0 command, and you might need to change routing configuration in the router as well.

Bye

Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

tjbradford
  • Locked
  • Question
ASAX 5508 - basic config - packet loss
Replies
0
Views
158
tjbradford
tjbradford
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
192
hairlessupportmonkey
hairlessupportmonkey
basball
  • Locked
  • Question
VLAN Setup
Replies
0
Views
122
basball
basball
rod602
  • Locked
  • Question
Cisco ASA 5512 on demand apple ios setup
Replies
0
Views
85
rod602
rod602
nerdasaurus
  • Locked
  • Question
Pix 501 authenticate inbound basic question
Replies
0
Views
61
nerdasaurus
nerdasaurus

Part and Inventory Search

Sponsor

Back
Top