Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
cannot ping from inside interface to outside interface PIX 501
- Thread starter haven
- Start date
Don't worry! You can't ping the interface facing away from you. A better test would be to see if you can ping the router or the next hop on the outside interface of the PIX. Don't forget that you will need to allow pings back in. By default the PIX doesn't allow icmp so you will have to allow it using "conduit permit icmp any any".
Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
- Thread starter
- #3
thank you for your answer.
I tryed the configuration below without success.
the ping request appear in the consol debuging but not ping reply...
this is the used configuration
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
pager lines 20
no logging timestamp
no logging standby
logging console errors
no logging monitor
no logging buffered
no logging trap
logging facility 20
logging queue 512
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 192.168.128.101 255.255.255.0
ip address inside 10.68.144.100 255.255.255.0
arp timeout 14400
global (outside) 1 10.68.144.98 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.128.0 10.68.144.0
access-list acl_out permit icmp any any
access-group acl_out in interface outside
access-list acl_ping permit icmp any any
access-group acl_ping in interface inside
route outside 0 0 192.168.128.1 1
Thank you for your help
I tryed the configuration below without success.
the ping request appear in the consol debuging but not ping reply...
this is the used configuration
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
pager lines 20
no logging timestamp
no logging standby
logging console errors
no logging monitor
no logging buffered
no logging trap
logging facility 20
logging queue 512
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 192.168.128.101 255.255.255.0
ip address inside 10.68.144.100 255.255.255.0
arp timeout 14400
global (outside) 1 10.68.144.98 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.128.0 10.68.144.0
access-list acl_out permit icmp any any
access-group acl_out in interface outside
access-list acl_ping permit icmp any any
access-group acl_ping in interface inside
route outside 0 0 192.168.128.1 1
Thank you for your help
You have a problem with you NAT statements. Your inside network is on 10.68.144.0/24 and the outside network is 192.168.128.0/24. So, the nat (inside) statement tells the inside to NAT all traffic going out of the inside network. The global (outside) command is then saying that all IP's from NAT ID group 1 should go out on the address of 10.68.144.98. This is a problem because the 10.68 address isn't routeable on the 192.168 network.
So, your global (outside) statement should have an IP address in the 192.168 range so that all internal traffic goes out on that IP address. Or you could use the external interface of eth0 using the command global (outside) 1 interface.
Also, your static map statement doesn't make any sense. With a static statement you assign a global address to a private internal address. For example, if you have an internal mail server with a private IP you would put a static mapping in place to map it's MX record IP to the actual internal IP. What you have done is say that the external address of 192.168.128.0 should be mapped to the internal address of 10.68.144.0. These are unusable IPs as you are using a /24 mask which makes these IP addresses network addresses and not host addresses.
ip address outside 192.168.128.101 255.255.255.0
ip address inside 10.68.144.100 255.255.255.0
arp timeout 14400
global (outside) 1 10.68.144.98 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.128.0 10.68.144.0
I hope that this make sense!
Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
So, your global (outside) statement should have an IP address in the 192.168 range so that all internal traffic goes out on that IP address. Or you could use the external interface of eth0 using the command global (outside) 1 interface.
Also, your static map statement doesn't make any sense. With a static statement you assign a global address to a private internal address. For example, if you have an internal mail server with a private IP you would put a static mapping in place to map it's MX record IP to the actual internal IP. What you have done is say that the external address of 192.168.128.0 should be mapped to the internal address of 10.68.144.0. These are unusable IPs as you are using a /24 mask which makes these IP addresses network addresses and not host addresses.
ip address outside 192.168.128.101 255.255.255.0
ip address inside 10.68.144.100 255.255.255.0
arp timeout 14400
global (outside) 1 10.68.144.98 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.128.0 10.68.144.0
I hope that this make sense!
Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question