PIX not working!! Please check config and save my day!

[bman38]

A customer of mine has attached a PIX to their network for the main purpose of setting up an IPSEC VPN to my Netscreen 100. Problem is, we have the PIX configured and I can ping it (over the internet, not the VPN), but he cannot ping anything whatsoever outbound. The PIX is connecting to the ISPs Cisco UBR 900. Here is the config (has been modified for pirvacy purposes) and if anyone has any tips, advice, or can see the problem, please let me know ASAP.. Thanks in advance!!!

Note: x.x.x.171 is their static IP, x.x.x.169 is the default gateway and y.y.y.2 is my remote gateway

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ********* encrypted
passwd ********** encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list ACL1 permit ip 192.1.1.105 255.255.255.255 198.185.205.0 255.255.255.240
access-list nonat permit ip 192.1.1.105 255.255.255.255 198.185.205.0 255.255.255.240
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.171 255.255.255.248
ip address inside 192.1.1.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 x.x.x.169
route outside y.y.y.2 255.255.255.255 x.x.x.169 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set TSET1 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map OAW 10 ipsec-isakmp
crypto map OAW 10 match address ACL1
crypto map OAW 10 set pfs group2
crypto map OAW 10 set peer y.y.y.2
crypto map OAW 10 set transform-set TSET1
crypto map OAW interface outside
isakmp enable outside
isakmp key ********* address y.y.y.2 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
telnet timeout 5
ssh timeout 60
terminal width 80

 

[ajinc]

Hello bman38,
I'm no expert, but I think you will need an "access group" staement like this:

access-group <access list name> in interface outside

hope this helps

 

[Crossfire2]

Hi Bman, I would agree with ajinc that you might wanna bind an access list to the outside interface. For users behind the PIX to ping you would need to add this rule to the access-list bound to the outside int

access-list <accesslist name> permit icmp any any echo-reply

With regards to the VPN, does your netscreen NAT your public IPs at all?

 

[ChrisAC]

By default the pix will drop the inbound echo-reply traffic that will be in the reply to the outbound echo-request. To allow icmp to the pix you can use the 'icmp' commands to define what icmp types are allowed to the pix. It doesn't need to be in an access list and icmp command will always take preference over what is in the ACL.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************