The following script that you must put when inside network 172.16.1.0 want
to access HTTP to outside and ping to outside:
access-list inside_access_in permit tcp 172.16.1.0 255.255.255.0 any eq 80
access-list inside_access_in permit udp 172.16.1.0 255.255.255.0 any eq 53
access-list inside_access_in permit icmp 172.16.1.0 255.255.255.0 any
access-list outside_access_in permit icmp any any echo-reply
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
"Symon
Thurlow" To:
[EMAIL PROTECTED]
Fax
to:
Sent by: Subject: RE: Learning PIX
[7:60919]
nobody@groupst
udy.com
01/14/2003
10:40
AM
Please
respond
to
"Symon
Thurlow"
Yes to all!
-----Original Message-----
From: Daniel Cotts [mailto:[EMAIL PROTECTED]]
Sent: 13 January 2003 18:05
To: Symon Thurlow; [EMAIL PROTECTED]
Subject: RE: Learning PIX [7:60919]
Can the PIX ping hosts out on the Internet?
Can the ping ping an internal host? Can that host ping the internal
interface of the PIX?
> -----Original Message-----
> From: Symon Thurlow [mailto:[EMAIL PROTECTED]]
> Sent: Monday, January 13, 2003 11:31 AM
> To: Daniel Cotts; [EMAIL PROTECTED]
> Subject: RE: Learning PIX [7:60919]
>
>
> Hi,
>
> I have done both, and it still does not work! I have a linux
> box on the
> external segment, and I can ping the external interface of
> the PIX from
> it. I can also ping the Linux box from the PIX, but not through it.
>
> I get the feeling the answer to this will be a doh!, but I
> can't see it
> at the moment.
>
> Symon
>
> -----Original Message-----
> From: Daniel Cotts [mailto:[EMAIL PROTECTED]]
> Sent: 13 January 2003 15:31
> To: Symon Thurlow; [EMAIL PROTECTED]
> Subject: RE: Learning PIX [7:60919]
>
>
> Good to do a "show interface" to make sure they are up.
> Might want to do a "conduit permit icmp any any" to do some
> ping tests.
> I'm assuming that your outside interface is reachable from
> the Internet.
> Verified?
>
> > -----Original Message-----
> > From: Symon Thurlow [mailto:[EMAIL PROTECTED]]
> > Sent: Sunday, January 12, 2003 7:57 PM
> > To: [EMAIL PROTECTED]
> > Subject: Learning PIX [7:60919]
> >
> >
> > Hi guys,
> >
> > I have begun to study the PIX. I have had exposure to them recently,
> > through a couple of 515e's, and had no problem configuring them
> > (with PDM...). I
> > have plenty of Firewall experience, but very little with PIX.
> >
> > I now have a 520 with a 2MB flash card that I am using for
> study. This
>
> > machine came with the 5.1(2) code, so no PDM. This is good,
> as I want
> > to learn to configure and troubleshoot them via command line anyway.
> >
> > I am following a Cisco Press PIX book, just to cut my teeth and
> > start to learn the commands. I have 3 interfaces in the 520.
> >
> > I have created a very simple configuration, that should
> allow anyone
> > internally to get access to the Internet, globally nating
> to one valid
>
> > address. I want to get this working before getting in to
> more detail.
> >
> > When I try to gain access to the Internet through the PIX, it does
> > not work. I have put a packet sniffer on the external segment and
> > can not see any
> > traffic coming from the PIX. If I do a show xlate I see
> nothing. I am
> > sending debug info to a SYSLOG server, but again see nothing
> > (except for
> > when I wr mem etc).
> >
> > I have pasted the config below, can any of you see where I might be
> > going wrong. I have tried a few different ways to make this happen,
> > even copying
> > sample configs from CCO, but I can't seem to make it work.
> >
> > I am not looking for the answer, more a helping hand to point me in
> > the right direction.
> >
> > Cheers,
> >
> > Symon
> >
> > PIX Version 5.1(2)
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > nameif ethernet2 DMZ security50
> > enable password xxxxx
> > passwd xxxxx
> > hostname PIX1E
> > fixup protocol ftp 21
> > fixup protocol http 80
> > fixup protocol h323 1720
> > fixup protocol rsh 514
> > fixup protocol smtp 25
> > fixup protocol sqlnet 1521
> > names
> > pager lines 24
> > logging on
> > logging timestamp
> > no logging standby
> > logging console debugging
> > logging monitor debugging
> > logging buffered debugging
> > logging trap debugging
> > logging history debugging
> > logging facility 20
> > logging queue 512
> > logging host inside 172.16.1.56
> > interface ethernet0 auto
> > interface ethernet1 auto
> > interface ethernet2 auto shutdown
> > mtu outside 1500
> > mtu inside 1500
> > mtu DMZ 1500
> > ip address outside 217.204.228.199 255.255.255.240
> > ip address inside 172.16.1.151 255.255.255.0
> > ip address DMZ 127.0.0.1 255.255.255.255
> > no failover
> > failover timeout 0:00:00
> > failover ip address outside 0.0.0.0
> > failover ip address inside 0.0.0.0
> > failover ip address DMZ 0.0.0.0
> > arp timeout 14400
> > global (outside) 1 217.204.228.201
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > route outside 0.0.0.0 0.0.0.0 217.204.228.193 1
> > timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
> > timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute
> > aaa-server TACACS+ protocol tacacs+
> > aaa-server RADIUS protocol radius
> > no snmp-server location
> > no snmp-server contact
> > snmp-server community public
> > no snmp-server enable traps
> > floodguard enable
> > isakmp identity hostname
> > telnet 172.16.1.0 255.255.255.0 inside
> > telnet 172.16.1.0 255.255.255.0 DMZ
> > telnet timeout 15
> > terminal width 80
> > Cryptochecksum:a83be0bed7aa987b7341550e07870a51
> [EMAIL PROTECTED]
> >
>
> =============================================
>
> This email has been content filtered and
> subject to spam filtering. If you consider
> this email is unsolicited please forward
> the email to [EMAIL PROTECTED] and
> request that the sender's domain be
> blocked from sending any further emails.
>
> =============================================
>
>
=============================================
This email has been content filtered and
subject to spam filtering. If you consider
this email is unsolicited please forward
the email to [EMAIL PROTECTED] and
request that the sender's domain be
blocked from sending any further emails.
=============================================
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=61001&t=60919
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
