Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help with basic pix configuration

Status
Not open for further replies.

robp123

IS-IT--Management
Jan 5, 2007
6
CA
robp123 (IS/IT--Management) Oct 8, 2008
I have some previous experience with cisco switches and routers but am fairly new when it comes to PIX firewalls. I'm looking to familiarize myself with them and want to setup a testing environment with plans to eventually configure and test VPN options. So far I have a 501 and a 506 connected via crossover and have configured them with the following (after resetting both to factory default settings):

Pix #1:
hostname bob
int e1 10full
int e0 10baset
ip address outside 192.168.1.2 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0
route outside 0 0 192.168.1.1
nat (inside) 1 0 0
global (outside) 1 interface

Pix #2:
hostname doug
int e1 10full
int e0 10baset
ip address outside 192.168.1.1 255.255.255.0
ip address inside 192.168.3.1 255.255.255.0
route outside 0 0 192.168.1.2
nat (inside) 1 0 0
global (outside) 1 interface

In addition to this, I have hosts on the inside interfaces of both firewalls with 192.168.2.2 and 192.168.3.2 addresses respectively. Currently I can ping between my hosts and the firewall inside addresses and can also ping between the 2 firewall outside addresses. But unfortunately no other ping tests work. I did some additional reading and quickly found out the security policies that the firewall implements where you can't send anything from a lower security interface to a higher one. From there I configured acl's on both firewalls as follows.

access-list 1 permit icmp any any
access-group 1 in interface outside

As far as my knowledge goes, this should allow any icmp/ping packets into the firewall from the outside interface but I still have no connectivity other than what I stated above.

Anyone have any suggestions? Thanks in advance.
 
In order for an ACL to be effective you have to pair it with a static.
 
Care to elaborate or provide an example of what you think would work? I've done some reading and it seems that the static command is used for one-to-one statick mappings moreso for accessing a dedicated server/services (mail, ftp, etc) from the outside network whereas I (for the purpose of my test) want to allow all icmp requests through the firewall.
 
You are thinking of testing it like a router - it is not. It is made to segregate networks based on security levels. The firewall performs NAT and must know what addresses connect together from outside to inside.
If it is only for testing then just set up a static to a known pc inside and test it.

Example -



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top