This may appear twice now but my previous attempt seems to have gone
missing:
Thanks for letting us know the outcome. Interesting that the interface
command caused problems. Only thing is now you're not using the external
interface address of the pix to do the PAT. Depends how many registered
addresses you can afford to lose.
After writing that just checked CCO
Looks like this is a bug on 5.2(3).
Problem:
Internal hosts cannot ping outside devices with interface PAT
Solution:
Upgrade to a version with the fix.
Bug ID is CSCdt28219
Regards,
Gaz
""pat"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Thanks a lot for everybody's help.
>
> I did clear xlate & changed following command as
> suggested by Rick & I think that fixed the problem.
>
> It is really strange...!!!
>
> I changed original command
>
> global (outside) 1 interface
>
> to new command
>
> global (outside) 1 212.19.133.230
>
>
>
>
>
>
>
>
> --- Gareth Hinton
> wrote:
> > Hi Pat,
> >
> > Just so you don't think you're being ignored, I've
> > sifted through every
> > line, as much as anything to convert myself to the
> > newer commands for the
> > pix.
> > I'm stuck as well. Can't see anything wrong with the
> > config.
> > I take it you already did a clear xlate/reload.
> > What does show xlate give you.
> >
> > Let us know the outcome.
> >
> > Gaz
> >
> >
> >
> > ""pat"" wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > I have this problem. I can't ping anything
> > outside
> > > the pix from machines inside. Pix inside IP is the
> > > default gateway for all the machines & they can
> > ping
> > > the gateway. I can also ping outside world from
> > pix.
> > > What is causing this problem...? I have pasted pix
> > > configs below. this is new pix & it never worked
> > > before. I have seen identical pix configs working
> > > earlier.
> > >
> > > thanks_
> > >
> > >
> > >
> > >
> > > PIX Version 5.2(3)
> > > nameif ethernet0 outside security0
> > > nameif ethernet1 inside security100
> > > hostname pix-con
> > > fixup protocol ftp 21
> > > fixup protocol http 80
> > > fixup protocol h323 1720
> > > fixup protocol rsh 514
> > > fixup protocol smtp 25
> > > fixup protocol sqlnet 1521
> > > fixup protocol sip 5060
> > > names
> > > access-list 101 permit ip 192.168.0.0
> > 255.255.255.0
> > > 192.168.100.0 255.255.255.0
> > > access-list 102 permit ip 192.168.0.0
> > 255.255.255.0
> > > 192.168.100.0 255.255.255.0
> > > access-list check permit tcp any host
> > 212.19.133.231
> > > eq www
> > > access-list check permit tcp any host
> > 212.19.133.227
> > > eq smtp
> > > access-list check permit tcp any host
> > 212.19.133.228
> > > eq pop3
> > > access-list check permit icmp any any
> > > pager lines 24
> > > logging on
> > > no logging timestamp
> > > no logging standby
> > > no logging console
> > > no logging monitor
> > > logging buffered warnings
> > > no logging trap
> > > no logging history
> > > logging facility 20
> > > logging queue 512
> > > interface ethernet0 auto
> > > interface ethernet1 auto
> > > mtu outside 1500
> > > mtu inside 1500
> > > ip address outside 212.19.133.226 255.255.255.240
> > > ip address inside 192.168.0.1 255.255.255.0
> > > ip audit info action alarm
> > > ip audit attack action alarm
> > > arp timeout 14400
> > > global (outside) 1 interface
> > > nat (inside) 0 access-list 101
> > > nat (inside) 1 192.168.0.0 255.255.255.0 0 0
> > > static (inside,outside) 212.19.133.227 192.168.0.2
> > > netmask 255.255.255.255 0 0
> > > static (inside,outside) 212.19.133.228 192.168.0.3
> > > netmask 255.255.255.255 0 0
> > > static (inside,outside) 212.19.133.231 192.168.0.4
> > > netmask 255.255.255.255 0 0
> > > access-group check in interface outside
> > > route outside 0.0.0.0 0.0.0.0 212.19.133.225 1
> > > timeout xlate 3:00:00
> > > timeout conn 1:00:00 half-closed 0:10:00 udp
> > 0:02:00
> > > rpc 0:10:00 h323 0:05:00 si
> > > p 0:30:00 sip_media 0:02:00
> > > timeout uauth 0:05:00 absolute
> > > aaa-server TACACS+ protocol tacacs+
> > > aaa-server RADIUS protocol radius
> > > no snmp-server location
> > > no snmp-server contact
> > > snmp-server community public
> > > no snmp-server enable traps
> > > floodguard enable
> > > sysopt connection permit-ipsec
> > > no sysopt route dnat
> > > crypto ipsec transform-set standard esp-des
> > > esp-md5-hmac
> > > crypto map peer_map 10 ipsec-isakmp
> > > crypto map peer_map 10 match address 102
> > > crypto map peer_map 10 set peer 212.46.19.194
> > > crypto map peer_map 10 set transform-set standard
> > > isakmp enable outside
> > > isakmp key l9k834 address 212.46.19.194 netmask
> > > 255.255.255.255
> > > isakmp identity address
> > > isakmp policy 10 authentication pre-share
> > > isakmp policy 10 encryption des
> > > isakmp policy 10 hash md5
> > > isakmp policy 10 group 1
> > > isakmp policy 10 lifetime 3600
> > > telnet 192.168.0.0 255.255.255.0 inside
> > > telnet timeout 15
> > > terminal width 80
> > >
> > >
> > >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Get personalized email addresses from Yahoo! Mail
> > - only $35
> > > a year! http://personal.mail.yahoo.com/
> > > PIX Version 5.2(3)
> > > nameif ethernet0 outside security0
> > > nameif ethernet1 inside security100
> > > hostname pix-con
> > > fixup protocol ftp 21
> > > fixup protocol http 80
> > > fixup protocol h323 1720
> > > fixup protocol rsh 514
> > > fixup protocol smtp 25
> > > fixup protocol sqlnet 1521
> > > fixup protocol sip 5060
> > > names
> > > access-list 101 permit ip 192.168.0.0
> > 255.255.255.0 192.168.100.0
> > > 255.255.255.0
> > > access-list 102 permit ip 192.168.0.0
> > 255.255.255.0 192.168.100.0
> > > 255.255.255.0
> > > access-list check permit tcp any host
> > 212.19.133.231 eq www
> > > access-list check permit tcp any host
> > 212.19.133.227 eq smtp
> > > access-list check permit tcp any host
> > 212.19.133.228 eq pop3
> > > access-list check permit icmp any any
> > > pager lines 24
> > > logging on
> > > no logging timestamp
> > > no logging standby
> > > no logging console
> > > no logging monitor
> > > logging buffered warnings
> > > no logging trap
> > > no logging history
> > > logging facility 20
> > > logging queue 512
> > > interface ethernet0 auto
> > > interface ethernet1 auto
> > > mtu outside 1500
> > > mtu inside 1500
> > > ip address outside 212.19.133.226 255.255.255.240
> > > ip address inside 192.168.0.1 255.255.255.0
> > > ip audit info action alarm
> > > ip audit attack action alarm
> > > arp timeout 14400
> > > global (outside) 1 interface
> > > nat (inside) 0 access-list 101
> > > nat (inside) 1 192.168.0.0 255.255.255.0 0 0
> > > static (inside,outside) 212.19.133.227 192.168.0.2
> > netmask 255.255.255.255
> > 0
> > > 0
> > > static (inside,outside) 212.19.133.228 192.168.0.3
> > netmask 255.255.255.255
> > 0
> > > 0
> > > static (inside,outside) 212.19.133.231 192.168.0.4
> > netmask 255.255.255.255
> > 0
> > > 0
> > > access-group check in interface outside
> > > route outside 0.0.0.0 0.0.0.0 212.19.133.225 1
> > > timeout xlate 3:00:00
> >
> === message truncated ===
>
>
> __________________________________________________
> Do You Yahoo!?
> Get personalized email addresses from Yahoo! Mail - only $35
> a year! http://personal.mail.yahoo.com/
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=7526&t=6895
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
