An update, Even with "debug ICMP trace" enabled, if I try to ping through the PIX ( I have conduit permit icmp any any) I see nothing, also using a sniffer on the internal segment, I see my ping requests, but no replies.
If I ping the inside interface, I get debug results. I am starting to think I have a hardware problem. Symon -----Original Message----- From: Symon Thurlow Sent: 13 January 2003 01:57 To: [EMAIL PROTECTED] Subject: Learning PIX [7:60919] Hi guys, I have begun to study the PIX. I have had exposure to them recently, through a couple of 515e's, and had no problem configuring them (with PDM...). I have plenty of Firewall experience, but very little with PIX. I now have a 520 with a 2MB flash card that I am using for study. This machine came with the 5.1(2) code, so no PDM. This is good, as I want to learn to configure and troubleshoot them via command line anyway. I am following a Cisco Press PIX book, just to cut my teeth and start to learn the commands. I have 3 interfaces in the 520. I have created a very simple configuration, that should allow anyone internally to get access to the Internet, globally nating to one valid address. I want to get this working before getting in to more detail. When I try to gain access to the Internet through the PIX, it does not work. I have put a packet sniffer on the external segment and can not see any traffic coming from the PIX. If I do a show xlate I see nothing. I am sending debug info to a SYSLOG server, but again see nothing (except for when I wr mem etc). I have pasted the config below, can any of you see where I might be going wrong. I have tried a few different ways to make this happen, even copying sample configs from CCO, but I can't seem to make it work. I am not looking for the answer, more a helping hand to point me in the right direction. Cheers, Symon PIX Version 5.1(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security50 enable password xxxxx passwd xxxxx hostname PIX1E fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 names pager lines 24 logging on logging timestamp no logging standby logging console debugging logging monitor debugging logging buffered debugging logging trap debugging logging history debugging logging facility 20 logging queue 512 logging host inside 172.16.1.56 interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto shutdown mtu outside 1500 mtu inside 1500 mtu DMZ 1500 ip address outside 217.204.228.199 255.255.255.240 ip address inside 172.16.1.151 255.255.255.0 ip address DMZ 127.0.0.1 255.255.255.255 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address DMZ 0.0.0.0 arp timeout 14400 global (outside) 1 217.204.228.201 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 217.204.228.193 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable isakmp identity hostname telnet 172.16.1.0 255.255.255.0 inside telnet 172.16.1.0 255.255.255.0 DMZ telnet timeout 15 terminal width 80 Cryptochecksum:a83be0bed7aa987b7341550e07870a51 ============================================= This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to [EMAIL PROTECTED] and request that the sender's domain be blocked from sending any further emails. ============================================= Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60970&t=60919 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
