Can your 95 users ping the gateway by IP address and hostname?
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, October 31, 2000 6:40 PM
Subject: PIX question
> Hi everybody,
>
> I have one PIX firewall running v 4.2(4). Based on the config, i've
specified only a few user can go
> out to internet.
>
> But, my problem is when a user running on NT w/s or server, they can go
out to internet while not
> for users running on win95.
>
> Anybody experienced the problem before??. Can you share with me?.
>
> Here is the config of firewall :
>
> PIX Version 4.2(4)
>
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 dmz1 security50
> enable password mRF4kA2yGoAg24KE encrypted
> passwd mRF4kA2yGoAg24KE encrypted
> hostname PIX
> <--- More --->
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 1720
> fixup protocol rsh 514
> fixup protocol sqlnet 1521
> no fixup protocol smtp 25
> names
> name 172.21.1.65 Adachi
> name 172.21.1.111 ECT
> name 172.21.1.78 Inagaki
> name 172.21.1.75 Kato
> name 172.21.1.201 Konishi
> name 172.21.1.92 Lim_Tiong_
> name 172.21.1.113 TKL
> name 172.21.1.67 Taishi
> name 172.21.1.50 Kobayashi
> name 172.21.1.3 MY_NT5
> name 172.21.1.6 MY_99
> name 172.21.1.17 S1019
> name 172.21.1.5 MY01
> name 172.21.1.1 MY00
> no failover
> failover timeout 0:00:00
> failover ip address outside 0.0.0.0
> <--- More --->
> failover ip address inside 0.0.0.0
> failover ip address dmz1 0.0.0.0
> pager lines 24
> no logging console
> no logging monitor
> no logging buffered
> no logging trap
> logging facility 20
> interface ethernet0 10baset
> interface ethernet1 10baset
> interface ethernet2 10baset
> ip address outside 202.x.x.x 255.255.255.248
> ip address inside 172.21.1.12 255.255.255.0
> ip address dmz1 172.21.253.101 255.255.255.0
> arp timeout 14400
> global (outside) 1 202.x.x.x
> nat (inside) 1 MY_NT5 255.255.255.0 0 0
> nat (inside) 1 172.21.1.4 255.255.255.0 0 0
> nat (inside) 1 MY_99 255.255.255.0 0 0
> nat (inside) 1 Kobayashi 255.255.255.0 0 0
> nat (inside) 1 Adachi 255.255.255.0 0 0
> nat (inside) 1 Taishi 255.255.255.0 0 0
> nat (inside) 1 Inagaki 255.255.255.0 0 0
> nat (inside) 1 Lim_Tiong_ 255.255.255.0 0 0
> <--- More --->
> nat (inside) 1 ECT 255.255.255.0 0 0
> nat (inside) 1 TKL 255.255.255.0 0 0
> nat (inside) 1 Konishi 255.255.255.0 0 0
> static (inside,outside) 202.x.x.x MY_99 netmask 255.255.255.255 0 0
> static (inside,dmz1) 172.21.253.17 S1019 netmask 255.255.255.255 0 0
> static (inside,dmz1) 172.21.253.5 MY01 netmask 255.255.255.255 0 0
> static (inside,dmz1) 172.21.253.1 MY00 netmask 255.255.255.255 0 0
> conduit permit icmp any any
> conduit permit tcp host 202.x.x.x eq smtp any
> conduit permit ip host 172.21.253.17 any
> conduit permit ip host 172.21.253.5 any
> conduit permit ip host 172.21.253.1 any
> no rip outside passive
> no rip outside default
> no rip inside passive
> no rip inside default
> no rip dmz1 passive
> no rip dmz1 default
> route outside 0.0.0.0 0.0.0.0 202.x.x.x 1
> route dmz1 172.21.252.0 255.255.255.0 172.21.253.102 1
> route dmz1 192.168.42.0 255.255.255.0 172.21.253.102 1
> route dmz1 172.21.254.0 255.255.255.0 172.21.253.102 1
> timeout xlate 3:00:00 conn 1:00:00 udp 0:02:00
> timeout rpc 0:10:00 h323 0:05:00
> <--- More --->
> timeout uauth 0:05:00 absolute
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> telnet 172.21.1.116 255.255.255.255
> telnet 172.21.1.12 255.255.255.255
> telnet ECTan 255.255.255.255
> telnet timeout 5
> mtu outside 1500
> mtu inside 1500
> mtu dmz1 1500
> floodguard 1
>
> Thanks.
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
