Rookie Question

[cbeazley]

I am learning the old 'jump in and play' method and am having problems. I have setup other firewall before but seem to be having basic problems with my pix 515.

All basic config is entered but I can't ping from my internal network to an external pc. This is on a private lan. I have tried nat and no nat but nothing. I have a route pointing to my next hop (the workstation). I can ping the pix from internal workstation, I can ping from external workstation to pix, I can ping from pix to both workstations but NOT from internal ws to external ws.

What am I missing here ? Damn I must be dumb.

 

[brontosaurus]

can you post your config? if you're using private addresses, it should just be a matter of NAT and GLOBAL statements, assuming you haven't set up any access-lists that would block this...

 

[cbeazley]

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 10.2.2.1 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location 10.1.1.1 255.255.255.255 inside
pdm location 10.2.2.1 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 10.2.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.1.1.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:56b18241d20ca3f535851f7c9e912d19
: end

 

[brontosaurus]

so if you change your NAT statement to:

nat (inside) 1 0 0

and issue a clear xlate, you can't ping out to the internet? (of course, I'm assuming that you actually have a routable address on your outside interface)

 

[cbeazley]

I tried this before but I tried it again for fun and no luck. My acl is the default one which is supposed to allow all inside traffic out. I'm confused. Any other ideas ?

 

[brontosaurus]

ok, so you can ping the internal interface of the PIX from the inside...just for fun (again) or a temporary test, try putting in an acl that explicitly permits ICMP through the PIX.

access-list outgoing permit icmp any any
access-group outgoing in interface outside

any change?

 

[cbeazley]

Good idea but no luck. I even changed the default implied acl of any inside allowed out so it is now rule 1 instead of -

I have also tried a different workstation and even added a static route to ensure traffic path is correct.

Could it be an ios problem ? Is it worth upgrading ?

 

[brontosaurus]

try a traceroute from the workstation and see where it dies...

 

[cbeazley]

Mistery solved. You gave me an idea with allowing icmp specifically. Even after your icmp acl nothing happened however, it was this idea that solved my problem.

In the pdm under System Properties - PIX administration - ICMP I had to add echo and echo-reply and presto it worked.

Why your rule didn't work I don't know but it was your idea that fixed this anoying problem for me. It's always the small things.

I think this is an ios issue because my 506e which I installed ios version 6.2(1) never gave me this grief.

Thanks a lot for your help.

Chris

 

[brontosaurus]

Excellent!