Re: traffic can't cross pix [7:6895]

John Hardman Sat, 02 Jun 2001 18:48:39 -0700
HI

Call TAC or search CCO. There is an ICMP bug in the 5.2 and 5.3 code. This
_might_ be the problem.

HTH
--
John Hardman CCNP MCSE


""pat""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>    I have this problem. I can't ping anything outside
> the pix from machines inside. Pix inside IP is the
> default gateway for all the machines & they can ping
> the gateway. I can also ping outside world from pix.
> What is causing this problem...? I have pasted pix
> configs below.  this is new pix & it never worked
> before. I have seen identical pix configs working
> earlier.
>
> thanks_
>
>
>
>
> PIX Version 5.2(3)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> hostname pix-con
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 1720
> fixup protocol rsh 514
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> names
> access-list 101 permit ip 192.168.0.0 255.255.255.0
> 192.168.100.0 255.255.255.0
> access-list 102 permit ip 192.168.0.0 255.255.255.0
> 192.168.100.0 255.255.255.0
> access-list check permit tcp any host 212.19.133.231
> eq www
> access-list check permit tcp any host 212.19.133.227
> eq smtp
> access-list check permit tcp any host 212.19.133.228
> eq pop3
> access-list check permit icmp any any
> pager lines 24
> logging on
> no logging timestamp
> no logging standby
> no logging console
> no logging monitor
> logging buffered warnings
> no logging trap
> no logging history
> logging facility 20
> logging queue 512
> interface ethernet0 auto
> interface ethernet1 auto
> mtu outside 1500
> mtu inside 1500
> ip address outside 212.19.133.226 255.255.255.240
> ip address inside 192.168.0.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list 101
> nat (inside) 1 192.168.0.0 255.255.255.0 0 0
> static (inside,outside) 212.19.133.227 192.168.0.2
> netmask 255.255.255.255 0 0
> static (inside,outside) 212.19.133.228 192.168.0.3
> netmask 255.255.255.255 0 0
> static (inside,outside) 212.19.133.231 192.168.0.4
> netmask 255.255.255.255 0 0
> access-group check in interface outside
> route outside 0.0.0.0 0.0.0.0 212.19.133.225 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
> rpc 0:10:00 h323 0:05:00 si
> p 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> no sysopt route dnat
> crypto ipsec transform-set standard esp-des
> esp-md5-hmac
> crypto map peer_map 10 ipsec-isakmp
> crypto map peer_map 10 match address 102
> crypto map peer_map 10 set peer 212.46.19.194
> crypto map peer_map 10 set transform-set standard
> isakmp enable outside
> isakmp key l9k834 address 212.46.19.194 netmask
> 255.255.255.255
> isakmp identity address
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption des
> isakmp policy 10 hash md5
> isakmp policy 10 group 1
> isakmp policy 10 lifetime 3600
> telnet 192.168.0.0 255.255.255.0 inside
> telnet timeout 15
> terminal width 80
>
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Get personalized email addresses from Yahoo! Mail - only $35
> a year!  http://personal.mail.yahoo.com/
> PIX Version 5.2(3)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> hostname pix-con
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 1720
> fixup protocol rsh 514
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> names
> access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.100.0
> 255.255.255.0
> access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.100.0
> 255.255.255.0
> access-list check permit tcp any host 212.19.133.231 eq www
> access-list check permit tcp any host 212.19.133.227 eq smtp
> access-list check permit tcp any host 212.19.133.228 eq pop3
> access-list check permit icmp any any
> pager lines 24
> logging on
> no logging timestamp
> no logging standby
> no logging console
> no logging monitor
> logging buffered warnings
> no logging trap
> no logging history
> logging facility 20
> logging queue 512
> interface ethernet0 auto
> interface ethernet1 auto
> mtu outside 1500
> mtu inside 1500
> ip address outside 212.19.133.226 255.255.255.240
> ip address inside 192.168.0.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list 101
> nat (inside) 1 192.168.0.0 255.255.255.0 0 0
> static (inside,outside) 212.19.133.227 192.168.0.2 netmask 255.255.255.255
0
> 0
> static (inside,outside) 212.19.133.228 192.168.0.3 netmask 255.255.255.255
0
> 0
> static (inside,outside) 212.19.133.231 192.168.0.4 netmask 255.255.255.255
0
> 0
> access-group check in interface outside
> route outside 0.0.0.0 0.0.0.0 212.19.133.225 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 si
> p 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> no sysopt route dnat
> crypto ipsec transform-set standard esp-des esp-md5-hmac
> crypto map peer_map 10 ipsec-isakmp
> crypto map peer_map 10 match address 102
> crypto map peer_map 10 set peer 212.46.19.194
> crypto map peer_map 10 set transform-set standard
> isakmp enable outside
> isakmp key l9k834 address 212.46.19.194 netmask 255.255.255.255
> isakmp identity address
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption des
> isakmp policy 10 hash md5
> isakmp policy 10 group 1
> isakmp policy 10 lifetime 3600
> telnet 192.168.0.0 255.255.255.0 inside
> telnet timeout 15
> terminal width 80




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=6916&t=6895
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: traffic can't cross pix [7:6895]

Reply via email to
