Re: traffic can't cross pix [7:6895]

Sat, 02 Jun 2001 18:50:25 -0700 

Hello Pat,

I concur with Gaz.....the config looks fine. We are running the same version
of finesse on some our PIX 515's with similar configs, and can pass icmp
traffic. By adding the line permit icmp any any....it punches a hole in the
ACA and allows the echo reply back in. I would try, as suggested by Gaz,
clear xlate. Also, to make sure translation isn't failing and to watch the
icmp traffic: debug icmp trace.

Thanks,
Mike Nygard
""pat""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>    I have this problem. I can't ping anything outside
> the pix from machines inside. Pix inside IP is the
> default gateway for all the machines & they can ping
> the gateway. I can also ping outside world from pix.
> What is causing this problem...? I have pasted pix
> configs below.  this is new pix & it never worked
> before. I have seen identical pix configs working
> earlier.
>
> thanks_
>
>
>
>
> PIX Version 5.2(3)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> hostname pix-con
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 1720
> fixup protocol rsh 514
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> names
> access-list 101 permit ip 192.168.0.0 255.255.255.0
> 192.168.100.0 255.255.255.0
> access-list 102 permit ip 192.168.0.0 255.255.255.0
> 192.168.100.0 255.255.255.0
> access-list check permit tcp any host 212.19.133.231
> eq www
> access-list check permit tcp any host 212.19.133.227
> eq smtp
> access-list check permit tcp any host 212.19.133.228
> eq pop3
> access-list check permit icmp any any
> pager lines 24
> logging on
> no logging timestamp
> no logging standby
> no logging console
> no logging monitor
> logging buffered warnings
> no logging trap
> no logging history
> logging facility 20
> logging queue 512
> interface ethernet0 auto
> interface ethernet1 auto
> mtu outside 1500
> mtu inside 1500
> ip address outside 212.19.133.226 255.255.255.240
> ip address inside 192.168.0.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list 101
> nat (inside) 1 192.168.0.0 255.255.255.0 0 0
> static (inside,outside) 212.19.133.227 192.168.0.2
> netmask 255.255.255.255 0 0
> static (inside,outside) 212.19.133.228 192.168.0.3
> netmask 255.255.255.255 0 0
> static (inside,outside) 212.19.133.231 192.168.0.4
> netmask 255.255.255.255 0 0
> access-group check in interface outside
> route outside 0.0.0.0 0.0.0.0 212.19.133.225 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
> rpc 0:10:00 h323 0:05:00 si
> p 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> no sysopt route dnat
> crypto ipsec transform-set standard esp-des
> esp-md5-hmac
> crypto map peer_map 10 ipsec-isakmp
> crypto map peer_map 10 match address 102
> crypto map peer_map 10 set peer 212.46.19.194
> crypto map peer_map 10 set transform-set standard
> isakmp enable outside
> isakmp key l9k834 address 212.46.19.194 netmask
> 255.255.255.255
> isakmp identity address
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption des
> isakmp policy 10 hash md5
> isakmp policy 10 group 1
> isakmp policy 10 lifetime 3600
> telnet 192.168.0.0 255.255.255.0 inside
> telnet timeout 15
> terminal width 80
>
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Get personalized email addresses from Yahoo! Mail - only $35
> a year!  http://personal.mail.yahoo.com/
> PIX Version 5.2(3)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> hostname pix-con
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 1720
> fixup protocol rsh 514
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> names
> access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.100.0
> 255.255.255.0
> access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.100.0
> 255.255.255.0
> access-list check permit tcp any host 212.19.133.231 eq www
> access-list check permit tcp any host 212.19.133.227 eq smtp
> access-list check permit tcp any host 212.19.133.228 eq pop3
> access-list check permit icmp any any
> pager lines 24
> logging on
> no logging timestamp
> no logging standby
> no logging console
> no logging monitor
> logging buffered warnings
> no logging trap
> no logging history
> logging facility 20
> logging queue 512
> interface ethernet0 auto
> interface ethernet1 auto
> mtu outside 1500
> mtu inside 1500
> ip address outside 212.19.133.226 255.255.255.240
> ip address inside 192.168.0.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list 101
> nat (inside) 1 192.168.0.0 255.255.255.0 0 0
> static (inside,outside) 212.19.133.227 192.168.0.2 netmask 255.255.255.255
0
> 0
> static (inside,outside) 212.19.133.228 192.168.0.3 netmask 255.255.255.255
0
> 0
> static (inside,outside) 212.19.133.231 192.168.0.4 netmask 255.255.255.255
0
> 0
> access-group check in interface outside
> route outside 0.0.0.0 0.0.0.0 212.19.133.225 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 si
> p 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> no sysopt route dnat
> crypto ipsec transform-set standard esp-des esp-md5-hmac
> crypto map peer_map 10 ipsec-isakmp
> crypto map peer_map 10 match address 102
> crypto map peer_map 10 set peer 212.46.19.194
> crypto map peer_map 10 set transform-set standard
> isakmp enable outside
> isakmp key l9k834 address 212.46.19.194 netmask 255.255.255.255
> isakmp identity address
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption des
> isakmp policy 10 hash md5
> isakmp policy 10 group 1
> isakmp policy 10 lifetime 3600
> telnet 192.168.0.0 255.255.255.0 inside
> telnet timeout 15
> terminal width 80




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=6921&t=6895
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to