robp123 (IS/IT--Management) Oct 8, 2008
I have some previous experience with cisco switches and routers but am fairly new when it comes to PIX firewalls. I'm looking to familiarize myself with them and want to setup a testing environment with plans to eventually configure and test VPN options. So far I have a 501 and a 506 connected via crossover and have configured them with the following (after resetting both to factory default settings):
Pix #1:
hostname bob
int e1 10full
int e0 10baset
ip address outside 192.168.1.2 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0
route outside 0 0 192.168.1.1
nat (inside) 1 0 0
global (outside) 1 interface
Pix #2:
hostname doug
int e1 10full
int e0 10baset
ip address outside 192.168.1.1 255.255.255.0
ip address inside 192.168.3.1 255.255.255.0
route outside 0 0 192.168.1.2
nat (inside) 1 0 0
global (outside) 1 interface
In addition to this, I have hosts on the inside interfaces of both firewalls with 192.168.2.2 and 192.168.3.2 addresses respectively. Currently I can ping between my hosts and the firewall inside addresses and can also ping between the 2 firewall outside addresses. But unfortunately no other ping tests work. I did some additional reading and quickly found out the security policies that the firewall implements where you can't send anything from a lower security interface to a higher one. From there I configured acl's on both firewalls as follows.
access-list 1 permit icmp any any
access-group 1 in interface outside
As far as my knowledge goes, this should allow any icmp/ping packets into the firewall from the outside interface but I still have no connectivity other than what I stated above.
Anyone have any suggestions? Thanks in advance.
I have some previous experience with cisco switches and routers but am fairly new when it comes to PIX firewalls. I'm looking to familiarize myself with them and want to setup a testing environment with plans to eventually configure and test VPN options. So far I have a 501 and a 506 connected via crossover and have configured them with the following (after resetting both to factory default settings):
Pix #1:
hostname bob
int e1 10full
int e0 10baset
ip address outside 192.168.1.2 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0
route outside 0 0 192.168.1.1
nat (inside) 1 0 0
global (outside) 1 interface
Pix #2:
hostname doug
int e1 10full
int e0 10baset
ip address outside 192.168.1.1 255.255.255.0
ip address inside 192.168.3.1 255.255.255.0
route outside 0 0 192.168.1.2
nat (inside) 1 0 0
global (outside) 1 interface
In addition to this, I have hosts on the inside interfaces of both firewalls with 192.168.2.2 and 192.168.3.2 addresses respectively. Currently I can ping between my hosts and the firewall inside addresses and can also ping between the 2 firewall outside addresses. But unfortunately no other ping tests work. I did some additional reading and quickly found out the security policies that the firewall implements where you can't send anything from a lower security interface to a higher one. From there I configured acl's on both firewalls as follows.
access-list 1 permit icmp any any
access-group 1 in interface outside
As far as my knowledge goes, this should allow any icmp/ping packets into the firewall from the outside interface but I still have no connectivity other than what I stated above.
Anyone have any suggestions? Thanks in advance.