-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You pix should have come with a manual.
First of all get PAT running so internal users can use the internet. All external users will be blocked. If you want to ping, you need to type ping outside You need to be very careful when allowing access from the outside...forinstance if you have a mail server or a web server, set up access lists, then apply them to the interface. Remember, a pix comes with DENY/DENY ANY. You have to open it up - -----Original Message----- From: Craig Columbus [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 14, 2002 12:41 PM To: [EMAIL PROTECTED] Subject: RE: Question on PIX 501 [7:38246] You'll need to open any ports that you want passed, no matter the direction. You can do this in bulk by specifying "access-list inside permit ip any any" and verifying that the access-list is applied to the inside interface with "access-list inside in interface inside". This will allow outbound traffic from any inside host and allow established traffic to come back in and reach the originator. You probably don't want to do this in practice since it's playing fast and loose with your security. Hope this helps, Craig At 01:42 PM 3/14/2002 -0500, you wrote: >Mark, > >My original question that I sent to the group somehow got lost. Ole >was kind enough to respond to a direct query regarding to some fun I >am having with installing a Pix (501) for the first time. My >firewall background is SonicWall and Watchguard, both are very >simple in configuration and work directly out of the box. > >I was under the impression it was pretty much plug and play, so I >decided to test it by putting it between my PC and the rest of the >LAN. However, after the initial setup, the Pix passed no >information through it. So I went to a ping to start the >troubleshooting. The curious (to me) issue was that from the >console or the PDM of the Pix I can ping network addresses on both >sides of the Pix. From the inside of the Pix, I cannot ping (or >browse the web) through the Pix. I cannot even ping the outside >interface of the Pix from the inside interface. The specific >question is this ... is additional configuration of the Pix required >to permit access from the inside interface to the outside interface >and beyond? > >To expand on the topic you and Ole are discussing, is the use of the >conduits (or access-lists) required for each and every type of >service I want to send from the inside to the outside? I have no >problem researching the commands to learn how it is done, I just >want to make certain I am on the right path. > >Thanks, > >Justin > > >From: "Mark Odette II" >Reply-To: "Mark Odette II" >To: [EMAIL PROTECTED] >Subject: RE: Question on PIX 501 [7:38246] >Date: Thu, 14 Mar 2002 12:45:59 -0500 > >Forgive me for not reading the book yet, as I've been quite busy >too.... ... but, I have a question in regards to the config line you >gave. > >I've used the PDM so far to most of the configuration of my PIX, and >it creates access-lists rather than conduits. I know from others >I've talked with, that Cisco is moving from conduits to access-lists >on the PIX >configs... this is the question > >I configure to allow ICMP any(Outside) any(Inside) = Echo Reply > ICMP any(Outside) any(Inside) = Time > Exceeded > ICMP any(Outside) any(Inside) = > Unreachable > >Does this do the same thing as what you were saying about "conduit >permit any any X"?? > >I think it does, but just want to make sure that I haven't opened up >ICMP completely with it being initiated from the outside. > >Thanks! >Mark > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf >Of Ole Drews Jensen >Sent: Thursday, March 14, 2002 10:42 AM >To: [EMAIL PROTECTED] >Subject: RE: Question on PIX 501 [7:38246] > > >Hi Justin, > >When you ping, you use the ICMP protocol. > >When A pings B, A sends ICMP echo-request (number 8) to B, and B >sends ICMP echo-reply (number 0) back to A. > >The PIX does not allow ICMP traffic to come from the outside to the >inside, so to change that, you will need to open up for ICMP number >0 (echo-reply). > >The command for that is: > > conduit permit icmp any any 0 > >This is a good way to do it, because then you allow outside devices >to reply to your request, but they are not allowed to do a PING >themself. If you want PING to work both ways, simply use this >command: > > conduit permit icmp any any > >Hth, > >Ole > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Ole Drews Jensen > Systems Network Manager > CCNP, MCSE, MCP+I > RWR Enterprises, Inc. > [EMAIL PROTECTED] >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > http://www.RouterChief.com >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > NEED A JOB ??? > http://www.oledrews.com/job >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > >-----Original Message----- >From: Justin C [mailto:[EMAIL PROTECTED]] >Sent: Thursday, March 14, 2002 10:10 AM >To: [EMAIL PROTECTED] >Subject: RE: Question on PIX 501 > > >Ole, > >Thanks for the reply. I understand being busy. I normally try to >solve these things all on my own, but I just don't have the >available time. I spent six hours on it yesterday. > >Justin > > >From: Ole Drews Jensen >To: 'Justin C' >Subject: RE: Question on PIX 501 >Date: Thu, 14 Mar 2002 08:08:30 -0600 > >I did receive the message - I do not know why groupstudy did not. > >I appologize for not getting back with you yesterday, but I am so >busy these days, as there are many projects I have to finish. > >I will see if I can find a couple of minutes to read your entire >e-mail from yesterday, and help you out. > >Try the [EMAIL PROTECTED] again. > >Ole > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Ole Drews Jensen > Systems Network Manager > CCNP, MCSE, MCP+I > RWR Enterprises, Inc. > [EMAIL PROTECTED] >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > http://www.RouterChief.com >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > NEED A JOB ??? > http://www.oledrews.com/job >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > >-----Original Message----- >From: Justin C [mailto:[EMAIL PROTECTED]] >Sent: Thursday, March 14, 2002 8:14 AM >To: [EMAIL PROTECTED] >Subject: Question on PIX 501 > > >Ole, > >I apologize in advance for yet another direct message. I am just >wondering if you did get the message regarding the Pix 501 as >groupstudy has not. > >I dislike having to message direct, but I am really scratching my >head over this, so anything help you can offer would be greatly >appreciated. In a nutshell, have you worked with a 501. If so, was >it plug and play or did you have to perform additional >configurations to get it to work. > >My thanks in advance for your time. > >Justin Cluer > >_________________________________________________________________ >Get your FREE download of MSN Explorer at >http://explorer.msn.com/intl.asp. > > >_________________________________________________________________ >Send and receive Hotmail on your mobile device: >http://mobile.msn.com >_________________________________________________________________ >Chat with friends online, try MSN Messenger: >http://messenger.msn.com [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBPJE6TZjWtn+JGXXMEQK4vwCeJrxUksfcgMKvifkWhjOoQ3DJipcAoOzV Swj22Gjerx8LftGHQGczfVoa =NGpY -----END PGP SIGNATURE----- Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38321&t=38246 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
