Routing issue ?!

[cbeazley]

I have a strange issue. I have am trying to get a cisco 2513 and pix 515e working together but encounted a weird problem. My 2513 is connected to my inside interface of the pix. I can ping from either side of the 2513 to outside the pix but when pinging from outside the pix I get timed out on some devices until I initiate a ping from that device (on the inside). I have static routes only and don't want rip on.

Any ideas would be appreciated.

 

[yizhar]

HI.

By default, the pix blocks incoming ICMP.
Even if you allow ICMP in your ACL, the pix uses hide NAT to protect the internal network (unless you disable/override it).

Best practice in most scenarios is not to be able to ping from the outside.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[cbeazley]

True but I can't even ftp from the outside device until I have initiated a ping from inside to the outer device. If I clear xlate after I can communicate then the channel is dead again. What do I need to do to keep this (non translated) channel open ?

 

[yizhar]

HI.

You need "STATIC" and "ACCESS-LIST".
Please post your relevant config if you need further assistant.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[thornec]

I agree with Yizhar, you need to define some sort of xlate in addition to your access-list.

 

[cbeazley]

Solved. Thanks for everyones help.

I was trying to setup NO translation while allowing inbound and outbound traffic flow. Well this is ok for outbound but inbound xlate problems occured until I figured out that nat occurs even if you don't want it. The difference is that on the pix no nat (nat 0) actually translates the addresses back to itself. Once I figured this out I setup nat (to itself) and all is good. Bizzare but simple.