Pix501 Config Help

[CC801340]

Hi,

I have a Pix 501 which I am trying to configure in the following environment:

1) Router (10.215.112.33) connected to the internet
2) LAN A (10.215.112.32 / 27)
3) LAN B (10.212.35.0 / 24)
3) Cisco Pix501 (Inside=10.212.35.2, Outside=10.215.112.35)

From LAN A I can ping the Cisco Pix on 10.215.112.35.
From LAN B I can ping the Cisco Pix on 10.212.35.2.

I need to be able to do the following:

1) From LAN B I need to be able to access devices on LAN A (such as 10.215.112.33).

2) I need statically assigned NAT (I think!) so that traffic for 10.215.112.34 always goes to 10.212.35.60

Here is my current config:

Building configuration...e <if_name> <audit_name>
: Saved
:
PIX Version 6.3(5)

interface ethernet0 auto_number> disable
interface ethernet1 100full
show|cl
nameif ethernet0 outside security0ace <interface>]
nameif ethernet1 inside security100
show ip [addre
enable password sxoDUvFgNGNRIZl3 encrypted
passwd 2KFQnbNIdI.2KYOU encryptedwall(config)# ip address inside 1
hostname cf-pixfirewall
domain-name xxxxxxxx.local
Interface address
fixup protocol dns maximum-length 512
fixup protocol ftp 21wall(config)# no dhcp
fixup protocol h323 h225 1720
Ambiguous com
fixup protocol h323 ras 1718-1719
fixup protocol sip udp 5060sip2>]
fixup protocol skinny 2000cpd wins <winsip1> [<winsi
fixup protocol smtp 25

fixup protocol sqlnet 1521length>
fixup protocol tftp 69 dhcpd ping_timeout <t
names>
pager lines 24
mtu outside 1500 domain <domain_
mtu inside 1500
ip address outside 10.215.112.35 255.255.255.224ng> | hex <hex_string> |
ip address inside 10.212.35.2 255.255.255.0 ip <address_1> [<address_2>]}
ip audit info action alarm

ip audit attack action alarm
pdm logging informational 100v_ifc_name>
pdm history enable show dhcpd
arp timeout 14400s]
global (outside) 1 interfaceixfirewall(con
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.212.35.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:a44671637db93e8fb6c3294cbcb3518d
: end
[OK]

 

[CC801340]

I have now added the lines:

nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 interface

I can successfully ping LAN A (eg 10.215.112.33) from the PIX PDM but NOT from a client on the inside of the pix (eg 10.212.35.20).I have noticed that I do not have any static routes set up for the internal and external interfaces on the pix - is this an issue?

Many thanks in advance

 

[boymarty24]

Yes you need one default route, for example

route outside 0.0.0.0 0.0.0.0 10.215.112.33 1
This is for your internet access.

The pix wont per default allow you to ping from clients within your lan to devices outside the pix. You need to add rules for that.

For allowing access to your lan from the outside you need to configure statics and access-lists.

this is the easiest way to go...

static (inside,outside) 10.215.112.34 10.212.35.60

and create access-list for traffic to pass

access-list acl_inbound permit tcp any host eq ftp

and bind the list to the outside interface

access-group acl_inbound in interface outside

 

[CC801340]

Thanks for your help.

I stil cant see externally from the clients on the inside of the PIX. I have added "route outside 0.0.0.0 0.0.0.0 10.215.112.33 1" but still no joy.

I can ping the outside router (10.215.112.33) from the PIX PDM console but not from a client. Perhaps I have got something wrong client side? At present the client I am using as an IP on the inside (10.212.35.20, subnet 255.255.255.0 and gateway 10.212.35.2 (PIX)).

 

[boymarty24]

Well if you want clients to ping hosts on another interface you need to setup a rule. Like this one.

access-list acl_out permit icmp any any.

It was kinda late yesterday when i wrote the access-list so got it wrong, sry. Insert the outside ip in the access-list statement.

access-list acl_inbound permit tcp any host 10.215.112.34 eq ftp

and apply to the outside interface with the access-group command.

 

[NetworkGhost]

You need to allow icmp outbound but you will also need to allow the icmp reply back inbound.


acl_outside permit icmp any any eq echo-reply

 

[CC801340]

What would be the command if I wanted to completely open up both the internal and external interfaces to permit ALL traffic? I know it wouldnt be recommended but I want to try it....I'm extremely new to Cisco Pix devices.

 

[NetworkGhost]

access-list acl_inside permit ip any any

access-list acl_outside permit ip any any