Re: traffic can't cross pix [7:6895]
This may appear twice now but my previous attempt seems to have gone missing: Thanks for letting us know the outcome. Interesting that the interface command caused problems. Only thing is now you're not using the external interface address of the pix to do the PAT. Depends how many registered addresses you can afford to lose. After writing that just checked CCO Looks like this is a bug on 5.2(3). Problem: Internal hosts cannot ping outside devices with interface PAT Solution: Upgrade to a version with the fix. Bug ID is CSCdt28219 Regards, Gaz ""pat"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Thanks a lot for everybody's help. > > I did clear xlate & changed following command as > suggested by Rick & I think that fixed the problem. > > It is really strange...!!! > > I changed original command > > global (outside) 1 interface > > to new command > > global (outside) 1 212.19.133.230 > > > > > > > > > --- Gareth Hinton > wrote: > > Hi Pat, > > > > Just so you don't think you're being ignored, I've > > sifted through every > > line, as much as anything to convert myself to the > > newer commands for the > > pix. > > I'm stuck as well. Can't see anything wrong with the > > config. > > I take it you already did a clear xlate/reload. > > What does show xlate give you. > > > > Let us know the outcome. > > > > Gaz > > > > > > > > ""pat"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > >I have this problem. I can't ping anything > > outside > > > the pix from machines inside. Pix inside IP is the > > > default gateway for all the machines & they can > > ping > > > the gateway. I can also ping outside world from > > pix. > > > What is causing this problem...? I have pasted pix > > > configs below. this is new pix & it never worked > > > before. I have seen identical pix configs working > > > earlier. > > > > > > thanks_ > > > > > > > > > > > > > > > PIX Version 5.2(3) > > > nameif ethernet0 outside security0 > > > nameif ethernet1 inside security100 > > > hostname pix-con > > > fixup protocol ftp 21 > > > fixup protocol http 80 > > > fixup protocol h323 1720 > > > fixup protocol rsh 514 > > > fixup protocol smtp 25 > > > fixup protocol sqlnet 1521 > > > fixup protocol sip 5060 > > > names > > > access-list 101 permit ip 192.168.0.0 > > 255.255.255.0 > > > 192.168.100.0 255.255.255.0 > > > access-list 102 permit ip 192.168.0.0 > > 255.255.255.0 > > > 192.168.100.0 255.255.255.0 > > > access-list check permit tcp any host > > 212.19.133.231 > > > eq www > > > access-list check permit tcp any host > > 212.19.133.227 > > > eq smtp > > > access-list check permit tcp any host > > 212.19.133.228 > > > eq pop3 > > > access-list check permit icmp any any > > > pager lines 24 > > > logging on > > > no logging timestamp > > > no logging standby > > > no logging console > > > no logging monitor > > > logging buffered warnings > > > no logging trap > > > no logging history > > > logging facility 20 > > > logging queue 512 > > > interface ethernet0 auto > > > interface ethernet1 auto > > > mtu outside 1500 > > > mtu inside 1500 > > > ip address outside 212.19.133.226 255.255.255.240 > > > ip address inside 192.168.0.1 255.255.255.0 > > > ip audit info action alarm > > > ip audit attack action alarm > > > arp timeout 14400 > > > global (outside) 1 interface > > > nat (inside) 0 access-list 101 > > > nat (inside) 1 192.168.0.0 255.255.255.0 0 0 > > > static (inside,outside) 212.19.133.227 192.168.0.2 > > > netmask 255.255.255.255 0 0 > > > static (inside,outside) 212.19.133.228 192.168.0.3 > > > netmask 255.255.255.255 0 0 > > > static (inside,outside) 212.19.133.231 192.168.0.4 > > > netmask 255.255.255.255 0 0 > > > access-group check in interface outside > > > route outside 0.0.0.0 0.0.0.0 212.19.133.225 1 > > > timeout xlate 3:00:00 > > > timeout conn 1:00:00 half-closed 0:10:00 udp > > 0:02:00 > > > rpc 0:10:00 h323 0:05:00 si > > > p 0:30:00 sip_media 0:02:00 > > > timeout uauth 0:05:00 absolute > > > aaa-server TACACS+ protocol tacacs+ > > > aaa-server RADIUS protocol radius > > > no snmp-server location > > > no snmp-server contact > > > snmp-server community public > > > no snmp-server enable traps > > > floodguard enable > > > sysopt connection permit-ipsec > > > no sysopt route dnat > > > crypto ipsec transform-set standard esp-des > > > esp-md5-hmac > > > crypto map peer_map 10 ipsec-isakmp > > > crypto map peer_map 10 match address 102 > > > crypto map peer_map 10 set peer 212.46.19.194 > > > crypto map peer_map 10 set transform-set standard > > > isakmp enable outside > > > isakmp key l9k834 address 212.46.19.194 netmask > > > 255.255.255.255 > > > isakmp identity address > > > isakmp policy 10 authentication pre-share > > > isakmp policy 10 encryption des > > > isakmp policy 10 hash md5 > > > isakmp policy 10 group 1 > > > isakmp policy 10 lifetime 3600 > > > telnet 192.168.0.0 255.255.255.0 inside > > > telnet timeout 15 > > > terminal width 80 > > >
Re: traffic can't cross pix [7:6895]
Thanks for letting us know the outcome. Interesting that the interface command caused problems. Only thing is now you're not using the external interface address of the pix to do the PAT. After writing that just checked CCO Looks like this is a bug on 5.2(3). Problem: Internal hosts cannot ping outside devices with interface PAT Solution: Upgrade to a version with the fix. Bug ID is CSCdt28219 Regards, Gaz ""pat"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Thanks a lot for everybody's help. > > I did clear xlate & changed following command as > suggested by Rick & I think that fixed the problem. > > It is really strange...!!! > > I changed original command > > global (outside) 1 interface > > to new command > > global (outside) 1 212.19.133.230 > > > > > > > > > --- Gareth Hinton > wrote: > > Hi Pat, > > > > Just so you don't think you're being ignored, I've > > sifted through every > > line, as much as anything to convert myself to the > > newer commands for the > > pix. > > I'm stuck as well. Can't see anything wrong with the > > config. > > I take it you already did a clear xlate/reload. > > What does show xlate give you. > > > > Let us know the outcome. > > > > Gaz > > > > > > > > ""pat"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > >I have this problem. I can't ping anything > > outside > > > the pix from machines inside. Pix inside IP is the > > > default gateway for all the machines & they can > > ping > > > the gateway. I can also ping outside world from > > pix. > > > What is causing this problem...? I have pasted pix > > > configs below. this is new pix & it never worked > > > before. I have seen identical pix configs working > > > earlier. > > > > > > thanks_ > > > > > > > > > > > > > > > PIX Version 5.2(3) > > > nameif ethernet0 outside security0 > > > nameif ethernet1 inside security100 > > > hostname pix-con > > > fixup protocol ftp 21 > > > fixup protocol http 80 > > > fixup protocol h323 1720 > > > fixup protocol rsh 514 > > > fixup protocol smtp 25 > > > fixup protocol sqlnet 1521 > > > fixup protocol sip 5060 > > > names > > > access-list 101 permit ip 192.168.0.0 > > 255.255.255.0 > > > 192.168.100.0 255.255.255.0 > > > access-list 102 permit ip 192.168.0.0 > > 255.255.255.0 > > > 192.168.100.0 255.255.255.0 > > > access-list check permit tcp any host > > 212.19.133.231 > > > eq www > > > access-list check permit tcp any host > > 212.19.133.227 > > > eq smtp > > > access-list check permit tcp any host > > 212.19.133.228 > > > eq pop3 > > > access-list check permit icmp any any > > > pager lines 24 > > > logging on > > > no logging timestamp > > > no logging standby > > > no logging console > > > no logging monitor > > > logging buffered warnings > > > no logging trap > > > no logging history > > > logging facility 20 > > > logging queue 512 > > > interface ethernet0 auto > > > interface ethernet1 auto > > > mtu outside 1500 > > > mtu inside 1500 > > > ip address outside 212.19.133.226 255.255.255.240 > > > ip address inside 192.168.0.1 255.255.255.0 > > > ip audit info action alarm > > > ip audit attack action alarm > > > arp timeout 14400 > > > global (outside) 1 interface > > > nat (inside) 0 access-list 101 > > > nat (inside) 1 192.168.0.0 255.255.255.0 0 0 > > > static (inside,outside) 212.19.133.227 192.168.0.2 > > > netmask 255.255.255.255 0 0 > > > static (inside,outside) 212.19.133.228 192.168.0.3 > > > netmask 255.255.255.255 0 0 > > > static (inside,outside) 212.19.133.231 192.168.0.4 > > > netmask 255.255.255.255 0 0 > > > access-group check in interface outside > > > route outside 0.0.0.0 0.0.0.0 212.19.133.225 1 > > > timeout xlate 3:00:00 > > > timeout conn 1:00:00 half-closed 0:10:00 udp > > 0:02:00 > > > rpc 0:10:00 h323 0:05:00 si > > > p 0:30:00 sip_media 0:02:00 > > > timeout uauth 0:05:00 absolute > > > aaa-server TACACS+ protocol tacacs+ > > > aaa-server RADIUS protocol radius > > > no snmp-server location > > > no snmp-server contact > > > snmp-server community public > > > no snmp-server enable traps > > > floodguard enable > > > sysopt connection permit-ipsec > > > no sysopt route dnat > > > crypto ipsec transform-set standard esp-des > > > esp-md5-hmac > > > crypto map peer_map 10 ipsec-isakmp > > > crypto map peer_map 10 match address 102 > > > crypto map peer_map 10 set peer 212.46.19.194 > > > crypto map peer_map 10 set transform-set standard > > > isakmp enable outside > > > isakmp key l9k834 address 212.46.19.194 netmask > > > 255.255.255.255 > > > isakmp identity address > > > isakmp policy 10 authentication pre-share > > > isakmp policy 10 encryption des > > > isakmp policy 10 hash md5 > > > isakmp policy 10 group 1 > > > isakmp policy 10 lifetime 3600 > > > telnet 192.168.0.0 255.255.255.0 inside > > > telnet timeout 15 > > > terminal width 80 > > > > > > > > > > > > > > > __ > > > Do You Yahoo!? > > > Get personalized email addresses from
Re: traffic can't cross pix [7:6895]
Thanks a lot for everybody's help. I did clear xlate & changed following command as suggested by Rick & I think that fixed the problem. It is really strange...!!! I changed original command global (outside) 1 interface to new command global (outside) 1 212.19.133.230 --- Gareth Hinton wrote: > Hi Pat, > > Just so you don't think you're being ignored, I've > sifted through every > line, as much as anything to convert myself to the > newer commands for the > pix. > I'm stuck as well. Can't see anything wrong with the > config. > I take it you already did a clear xlate/reload. > What does show xlate give you. > > Let us know the outcome. > > Gaz > > > > ""pat"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > >I have this problem. I can't ping anything > outside > > the pix from machines inside. Pix inside IP is the > > default gateway for all the machines & they can > ping > > the gateway. I can also ping outside world from > pix. > > What is causing this problem...? I have pasted pix > > configs below. this is new pix & it never worked > > before. I have seen identical pix configs working > > earlier. > > > > thanks_ > > > > > > > > > > PIX Version 5.2(3) > > nameif ethernet0 outside security0 > > nameif ethernet1 inside security100 > > hostname pix-con > > fixup protocol ftp 21 > > fixup protocol http 80 > > fixup protocol h323 1720 > > fixup protocol rsh 514 > > fixup protocol smtp 25 > > fixup protocol sqlnet 1521 > > fixup protocol sip 5060 > > names > > access-list 101 permit ip 192.168.0.0 > 255.255.255.0 > > 192.168.100.0 255.255.255.0 > > access-list 102 permit ip 192.168.0.0 > 255.255.255.0 > > 192.168.100.0 255.255.255.0 > > access-list check permit tcp any host > 212.19.133.231 > > eq www > > access-list check permit tcp any host > 212.19.133.227 > > eq smtp > > access-list check permit tcp any host > 212.19.133.228 > > eq pop3 > > access-list check permit icmp any any > > pager lines 24 > > logging on > > no logging timestamp > > no logging standby > > no logging console > > no logging monitor > > logging buffered warnings > > no logging trap > > no logging history > > logging facility 20 > > logging queue 512 > > interface ethernet0 auto > > interface ethernet1 auto > > mtu outside 1500 > > mtu inside 1500 > > ip address outside 212.19.133.226 255.255.255.240 > > ip address inside 192.168.0.1 255.255.255.0 > > ip audit info action alarm > > ip audit attack action alarm > > arp timeout 14400 > > global (outside) 1 interface > > nat (inside) 0 access-list 101 > > nat (inside) 1 192.168.0.0 255.255.255.0 0 0 > > static (inside,outside) 212.19.133.227 192.168.0.2 > > netmask 255.255.255.255 0 0 > > static (inside,outside) 212.19.133.228 192.168.0.3 > > netmask 255.255.255.255 0 0 > > static (inside,outside) 212.19.133.231 192.168.0.4 > > netmask 255.255.255.255 0 0 > > access-group check in interface outside > > route outside 0.0.0.0 0.0.0.0 212.19.133.225 1 > > timeout xlate 3:00:00 > > timeout conn 1:00:00 half-closed 0:10:00 udp > 0:02:00 > > rpc 0:10:00 h323 0:05:00 si > > p 0:30:00 sip_media 0:02:00 > > timeout uauth 0:05:00 absolute > > aaa-server TACACS+ protocol tacacs+ > > aaa-server RADIUS protocol radius > > no snmp-server location > > no snmp-server contact > > snmp-server community public > > no snmp-server enable traps > > floodguard enable > > sysopt connection permit-ipsec > > no sysopt route dnat > > crypto ipsec transform-set standard esp-des > > esp-md5-hmac > > crypto map peer_map 10 ipsec-isakmp > > crypto map peer_map 10 match address 102 > > crypto map peer_map 10 set peer 212.46.19.194 > > crypto map peer_map 10 set transform-set standard > > isakmp enable outside > > isakmp key l9k834 address 212.46.19.194 netmask > > 255.255.255.255 > > isakmp identity address > > isakmp policy 10 authentication pre-share > > isakmp policy 10 encryption des > > isakmp policy 10 hash md5 > > isakmp policy 10 group 1 > > isakmp policy 10 lifetime 3600 > > telnet 192.168.0.0 255.255.255.0 inside > > telnet timeout 15 > > terminal width 80 > > > > > > > > > > __ > > Do You Yahoo!? > > Get personalized email addresses from Yahoo! Mail > - only $35 > > a year! http://personal.mail.yahoo.com/ > > PIX Version 5.2(3) > > nameif ethernet0 outside security0 > > nameif ethernet1 inside security100 > > hostname pix-con > > fixup protocol ftp 21 > > fixup protocol http 80 > > fixup protocol h323 1720 > > fixup protocol rsh 514 > > fixup protocol smtp 25 > > fixup protocol sqlnet 1521 > > fixup protocol sip 5060 > > names > > access-list 101 permit ip 192.168.0.0 > 255.255.255.0 192.168.100.0 > > 255.255.255.0 > > access-list 102 permit ip 192.168.0.0 > 255.255.255.0 192.168.100.0 > > 255.255.255.0 > > access-list check permit tcp any host > 212.19.133.231 eq www > > access-list check permit tcp any host > 212.19.133.227 eq smtp > > access-list check permit tcp any host > 212.19.133.228 eq pop3 > > access-l
Re: traffic can't cross pix [7:6895]
Hello Pat, I concur with Gaz.the config looks fine. We are running the same version of finesse on some our PIX 515's with similar configs, and can pass icmp traffic. By adding the line permit icmp any anyit punches a hole in the ACA and allows the echo reply back in. I would try, as suggested by Gaz, clear xlate. Also, to make sure translation isn't failing and to watch the icmp traffic: debug icmp trace. Thanks, Mike Nygard ""pat"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... >I have this problem. I can't ping anything outside > the pix from machines inside. Pix inside IP is the > default gateway for all the machines & they can ping > the gateway. I can also ping outside world from pix. > What is causing this problem...? I have pasted pix > configs below. this is new pix & it never worked > before. I have seen identical pix configs working > earlier. > > thanks_ > > > > > PIX Version 5.2(3) > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > hostname pix-con > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 1720 > fixup protocol rsh 514 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol sip 5060 > names > access-list 101 permit ip 192.168.0.0 255.255.255.0 > 192.168.100.0 255.255.255.0 > access-list 102 permit ip 192.168.0.0 255.255.255.0 > 192.168.100.0 255.255.255.0 > access-list check permit tcp any host 212.19.133.231 > eq www > access-list check permit tcp any host 212.19.133.227 > eq smtp > access-list check permit tcp any host 212.19.133.228 > eq pop3 > access-list check permit icmp any any > pager lines 24 > logging on > no logging timestamp > no logging standby > no logging console > no logging monitor > logging buffered warnings > no logging trap > no logging history > logging facility 20 > logging queue 512 > interface ethernet0 auto > interface ethernet1 auto > mtu outside 1500 > mtu inside 1500 > ip address outside 212.19.133.226 255.255.255.240 > ip address inside 192.168.0.1 255.255.255.0 > ip audit info action alarm > ip audit attack action alarm > arp timeout 14400 > global (outside) 1 interface > nat (inside) 0 access-list 101 > nat (inside) 1 192.168.0.0 255.255.255.0 0 0 > static (inside,outside) 212.19.133.227 192.168.0.2 > netmask 255.255.255.255 0 0 > static (inside,outside) 212.19.133.228 192.168.0.3 > netmask 255.255.255.255 0 0 > static (inside,outside) 212.19.133.231 192.168.0.4 > netmask 255.255.255.255 0 0 > access-group check in interface outside > route outside 0.0.0.0 0.0.0.0 212.19.133.225 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 > rpc 0:10:00 h323 0:05:00 si > p 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server RADIUS protocol radius > no snmp-server location > no snmp-server contact > snmp-server community public > no snmp-server enable traps > floodguard enable > sysopt connection permit-ipsec > no sysopt route dnat > crypto ipsec transform-set standard esp-des > esp-md5-hmac > crypto map peer_map 10 ipsec-isakmp > crypto map peer_map 10 match address 102 > crypto map peer_map 10 set peer 212.46.19.194 > crypto map peer_map 10 set transform-set standard > isakmp enable outside > isakmp key l9k834 address 212.46.19.194 netmask > 255.255.255.255 > isakmp identity address > isakmp policy 10 authentication pre-share > isakmp policy 10 encryption des > isakmp policy 10 hash md5 > isakmp policy 10 group 1 > isakmp policy 10 lifetime 3600 > telnet 192.168.0.0 255.255.255.0 inside > telnet timeout 15 > terminal width 80 > > > > > __ > Do You Yahoo!? > Get personalized email addresses from Yahoo! Mail - only $35 > a year! http://personal.mail.yahoo.com/ > PIX Version 5.2(3) > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > hostname pix-con > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 1720 > fixup protocol rsh 514 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol sip 5060 > names > access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 > 255.255.255.0 > access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 > 255.255.255.0 > access-list check permit tcp any host 212.19.133.231 eq www > access-list check permit tcp any host 212.19.133.227 eq smtp > access-list check permit tcp any host 212.19.133.228 eq pop3 > access-list check permit icmp any any > pager lines 24 > logging on > no logging timestamp > no logging standby > no logging console > no logging monitor > logging buffered warnings > no logging trap > no logging history > logging facility 20 > logging queue 512 > interface ethernet0 auto > interface ethernet1 auto > mtu outside 1500 > mtu inside 1500 > ip address outside 212.19.133.226 255.255.255.240 > ip address inside 192.168.0.1 255.255.255.0 > ip audit info action alarm > ip audit attack action alarm > arp timeout 14400 > global (
Re: traffic can't cross pix [7:6895]
HI Call TAC or search CCO. There is an ICMP bug in the 5.2 and 5.3 code. This _might_ be the problem. HTH -- John Hardman CCNP MCSE ""pat"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... >I have this problem. I can't ping anything outside > the pix from machines inside. Pix inside IP is the > default gateway for all the machines & they can ping > the gateway. I can also ping outside world from pix. > What is causing this problem...? I have pasted pix > configs below. this is new pix & it never worked > before. I have seen identical pix configs working > earlier. > > thanks_ > > > > > PIX Version 5.2(3) > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > hostname pix-con > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 1720 > fixup protocol rsh 514 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol sip 5060 > names > access-list 101 permit ip 192.168.0.0 255.255.255.0 > 192.168.100.0 255.255.255.0 > access-list 102 permit ip 192.168.0.0 255.255.255.0 > 192.168.100.0 255.255.255.0 > access-list check permit tcp any host 212.19.133.231 > eq www > access-list check permit tcp any host 212.19.133.227 > eq smtp > access-list check permit tcp any host 212.19.133.228 > eq pop3 > access-list check permit icmp any any > pager lines 24 > logging on > no logging timestamp > no logging standby > no logging console > no logging monitor > logging buffered warnings > no logging trap > no logging history > logging facility 20 > logging queue 512 > interface ethernet0 auto > interface ethernet1 auto > mtu outside 1500 > mtu inside 1500 > ip address outside 212.19.133.226 255.255.255.240 > ip address inside 192.168.0.1 255.255.255.0 > ip audit info action alarm > ip audit attack action alarm > arp timeout 14400 > global (outside) 1 interface > nat (inside) 0 access-list 101 > nat (inside) 1 192.168.0.0 255.255.255.0 0 0 > static (inside,outside) 212.19.133.227 192.168.0.2 > netmask 255.255.255.255 0 0 > static (inside,outside) 212.19.133.228 192.168.0.3 > netmask 255.255.255.255 0 0 > static (inside,outside) 212.19.133.231 192.168.0.4 > netmask 255.255.255.255 0 0 > access-group check in interface outside > route outside 0.0.0.0 0.0.0.0 212.19.133.225 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 > rpc 0:10:00 h323 0:05:00 si > p 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server RADIUS protocol radius > no snmp-server location > no snmp-server contact > snmp-server community public > no snmp-server enable traps > floodguard enable > sysopt connection permit-ipsec > no sysopt route dnat > crypto ipsec transform-set standard esp-des > esp-md5-hmac > crypto map peer_map 10 ipsec-isakmp > crypto map peer_map 10 match address 102 > crypto map peer_map 10 set peer 212.46.19.194 > crypto map peer_map 10 set transform-set standard > isakmp enable outside > isakmp key l9k834 address 212.46.19.194 netmask > 255.255.255.255 > isakmp identity address > isakmp policy 10 authentication pre-share > isakmp policy 10 encryption des > isakmp policy 10 hash md5 > isakmp policy 10 group 1 > isakmp policy 10 lifetime 3600 > telnet 192.168.0.0 255.255.255.0 inside > telnet timeout 15 > terminal width 80 > > > > > __ > Do You Yahoo!? > Get personalized email addresses from Yahoo! Mail - only $35 > a year! http://personal.mail.yahoo.com/ > PIX Version 5.2(3) > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > hostname pix-con > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 1720 > fixup protocol rsh 514 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol sip 5060 > names > access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 > 255.255.255.0 > access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 > 255.255.255.0 > access-list check permit tcp any host 212.19.133.231 eq www > access-list check permit tcp any host 212.19.133.227 eq smtp > access-list check permit tcp any host 212.19.133.228 eq pop3 > access-list check permit icmp any any > pager lines 24 > logging on > no logging timestamp > no logging standby > no logging console > no logging monitor > logging buffered warnings > no logging trap > no logging history > logging facility 20 > logging queue 512 > interface ethernet0 auto > interface ethernet1 auto > mtu outside 1500 > mtu inside 1500 > ip address outside 212.19.133.226 255.255.255.240 > ip address inside 192.168.0.1 255.255.255.0 > ip audit info action alarm > ip audit attack action alarm > arp timeout 14400 > global (outside) 1 interface > nat (inside) 0 access-list 101 > nat (inside) 1 192.168.0.0 255.255.255.0 0 0 > static (inside,outside) 212.19.133.227 192.168.0.2 netmask 255.255.255.255 0 > 0 > static (inside,outside) 212.19.133.228 192.168.0.3 netmask 255.255.255.255 0 > 0 > static (inside,outside) 212.19.133
Re: traffic can't cross pix [7:6895]
Hi Pat, Just so you don't think you're being ignored, I've sifted through every line, as much as anything to convert myself to the newer commands for the pix. I'm stuck as well. Can't see anything wrong with the config. I take it you already did a clear xlate/reload. What does show xlate give you. Let us know the outcome. Gaz ""pat"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... >I have this problem. I can't ping anything outside > the pix from machines inside. Pix inside IP is the > default gateway for all the machines & they can ping > the gateway. I can also ping outside world from pix. > What is causing this problem...? I have pasted pix > configs below. this is new pix & it never worked > before. I have seen identical pix configs working > earlier. > > thanks_ > > > > > PIX Version 5.2(3) > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > hostname pix-con > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 1720 > fixup protocol rsh 514 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol sip 5060 > names > access-list 101 permit ip 192.168.0.0 255.255.255.0 > 192.168.100.0 255.255.255.0 > access-list 102 permit ip 192.168.0.0 255.255.255.0 > 192.168.100.0 255.255.255.0 > access-list check permit tcp any host 212.19.133.231 > eq www > access-list check permit tcp any host 212.19.133.227 > eq smtp > access-list check permit tcp any host 212.19.133.228 > eq pop3 > access-list check permit icmp any any > pager lines 24 > logging on > no logging timestamp > no logging standby > no logging console > no logging monitor > logging buffered warnings > no logging trap > no logging history > logging facility 20 > logging queue 512 > interface ethernet0 auto > interface ethernet1 auto > mtu outside 1500 > mtu inside 1500 > ip address outside 212.19.133.226 255.255.255.240 > ip address inside 192.168.0.1 255.255.255.0 > ip audit info action alarm > ip audit attack action alarm > arp timeout 14400 > global (outside) 1 interface > nat (inside) 0 access-list 101 > nat (inside) 1 192.168.0.0 255.255.255.0 0 0 > static (inside,outside) 212.19.133.227 192.168.0.2 > netmask 255.255.255.255 0 0 > static (inside,outside) 212.19.133.228 192.168.0.3 > netmask 255.255.255.255 0 0 > static (inside,outside) 212.19.133.231 192.168.0.4 > netmask 255.255.255.255 0 0 > access-group check in interface outside > route outside 0.0.0.0 0.0.0.0 212.19.133.225 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 > rpc 0:10:00 h323 0:05:00 si > p 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server RADIUS protocol radius > no snmp-server location > no snmp-server contact > snmp-server community public > no snmp-server enable traps > floodguard enable > sysopt connection permit-ipsec > no sysopt route dnat > crypto ipsec transform-set standard esp-des > esp-md5-hmac > crypto map peer_map 10 ipsec-isakmp > crypto map peer_map 10 match address 102 > crypto map peer_map 10 set peer 212.46.19.194 > crypto map peer_map 10 set transform-set standard > isakmp enable outside > isakmp key l9k834 address 212.46.19.194 netmask > 255.255.255.255 > isakmp identity address > isakmp policy 10 authentication pre-share > isakmp policy 10 encryption des > isakmp policy 10 hash md5 > isakmp policy 10 group 1 > isakmp policy 10 lifetime 3600 > telnet 192.168.0.0 255.255.255.0 inside > telnet timeout 15 > terminal width 80 > > > > > __ > Do You Yahoo!? > Get personalized email addresses from Yahoo! Mail - only $35 > a year! http://personal.mail.yahoo.com/ > PIX Version 5.2(3) > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > hostname pix-con > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 1720 > fixup protocol rsh 514 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol sip 5060 > names > access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 > 255.255.255.0 > access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 > 255.255.255.0 > access-list check permit tcp any host 212.19.133.231 eq www > access-list check permit tcp any host 212.19.133.227 eq smtp > access-list check permit tcp any host 212.19.133.228 eq pop3 > access-list check permit icmp any any > pager lines 24 > logging on > no logging timestamp > no logging standby > no logging console > no logging monitor > logging buffered warnings > no logging trap > no logging history > logging facility 20 > logging queue 512 > interface ethernet0 auto > interface ethernet1 auto > mtu outside 1500 > mtu inside 1500 > ip address outside 212.19.133.226 255.255.255.240 > ip address inside 192.168.0.1 255.255.255.0 > ip audit info action alarm > ip audit attack action alarm > arp timeout 14400 > global (outside) 1 interface > nat (inside) 0 access-list 101 > nat (inside) 1 192.168.0.0 255.255.255.0 0 0 > st