Re: Can't ping outside of PIX [7:15205]---- FIXED [7:15205]
of course if you are telneted or sshed through the pix, a 10 minutes xlate timeout will really piss off your users. I think we have our set to 4 hours. Rik Guyler wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Experience. Those of us that have worked on the PIX line for a number of years think this new-fangled idea of using the outside interface for PAT is pretty slick. We never had that option in the past. One thing looking at your config: I don't know how big your company is, but I would set the xlate timeout to something a little more reasonable than 24 hours. Something like 30 or 60 minutes or even 10 minutes (my choice). Keeping all of those translations around just ties up memory. --- Rik Guyler -Original Message- From: Pierre-Alex [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 08, 2001 8:14 PM To: [EMAIL PROTECTED] Subject: RE: Can't ping outside of PIX [7:15205] FIXED [7:15316] I changed the global statement to another IP address and the PC was able to ping on the Internet. I also removed the inside route and the PC was still able to ping ... I am curious. Where did you find this information? I used: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v4/pixcfg/pixc ncfg.htm Pierre-Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of cheekin Sent: Wednesday, August 08, 2001 8:27 AM To: [EMAIL PROTECTED] Subject: Re: Can't ping outside of PIX [7:15205] I think you will need to give a different range of IP address for the global statement. The global statement and the outside interface are using the same ip address. I also think that the route inside statement is not necessary in this case. You can use sh route to display the routing table. PIX gurus, correct me if I am wrong. cheekin - Original Message - From: Pierre-Alex To: Sent: Wednesday, August 08, 2001 11:34 Subject: Can't ping outside of PIX [7:15205] I have spent the all day on the problem below and I still can't see what I did wrong. Can you help? The PC can ping the inside ip address of the firewall The Firewall can ping the default-gateway and anything on the Internet But I cannot get the PC to ping the outside IP address of the firewall (208.136.247.214) or anything outside like (206.26.90.8). |PC|(1)--(2)|PIX|(3)-(4)--DSL MODEM PC (1): ip address 10.1.1.12 subnet mask: 255.255.255.0 default gateway: 10.1.1.10 PIX (2): ip adddress 10.1.1.10 subnet mask: 255.255.255.0 PIX (3i ip address 208.136.247.214 subnet mask: 255.255.255.0 DSL MODEM (4): ip address 208.136.247.1 subnet mask: 255.255.255.0 PIX Version 4.0.7 enable password 8Ry2YjIyt7RRXU24 encrypted passwd kIQggKv8.UiICW/r encrypted hostname pixfirewall failover names syslog output 20.3 no syslog console interface ethernet outside 10baset interface ethernet inside 10baset ip address inside 10.1.1.10 255.255.255.0 ip address outside 208.136.247.214 255.255.255.0 arp timeout 14400 global 1 208.136.247.214-208.136.247.214 nat 1 0.0.0.0 0.0.0.0 age 10 no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 208.136.247.1 1 route inside 0.0.0.0 0.0.0.0 10.1.1.12 timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00 no snmp-server location no snmp-server contact mtu outside 1500 mtu inside 1500 : end [OK] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=15457t=15205 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Can't ping outside of PIX [7:15205]---- FIXED [7:15451]
I was reading the CSPFF and CSPFA course notes earlier this week. Just started to pick up on PIX firewall. My understanding is that a host cannot share the same IP address on the same segment. Therefore I thought I ought to use a different IP address for the global statement. You may want to try out Patrick Ramsey's configuration of using the same outside IP address for the global statement. As for the inside route, I wanted to maintain a single default route. Furthermore, when you sh route, there will be a route pointing to the inside network. That was how I came to the conclusion that you need to change the global statement and remove the inside route statement. cheekin - Original Message - From: Pierre-Alex To: cheekin ; Sent: Wednesday, August 08, 2001 23:35 Subject: RE: Can't ping outside of PIX [7:15205] FIXED I changed the global statement to another IP address and the PC was able to ping on the Internet. I also removed the inside route and the PC was still able to ping ... I am curious. Where did you find this information? I used: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v4/pixcfg/pixc ncfg.htm Pierre-Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of cheekin Sent: Wednesday, August 08, 2001 8:27 AM To: [EMAIL PROTECTED] Subject: Re: Can't ping outside of PIX [7:15205] I think you will need to give a different range of IP address for the global statement. The global statement and the outside interface are using the same ip address. I also think that the route inside statement is not necessary in this case. You can use sh route to display the routing table. PIX gurus, correct me if I am wrong. cheekin - Original Message - From: Pierre-Alex To: Sent: Wednesday, August 08, 2001 11:34 Subject: Can't ping outside of PIX [7:15205] I have spent the all day on the problem below and I still can't see what I did wrong. Can you help? The PC can ping the inside ip address of the firewall The Firewall can ping the default-gateway and anything on the Internet But I cannot get the PC to ping the outside IP address of the firewall (208.136.247.214) or anything outside like (206.26.90.8). |PC|(1)--(2)|PIX|(3)-(4)--DSL MODEM PC (1): ip address 10.1.1.12 subnet mask: 255.255.255.0 default gateway: 10.1.1.10 PIX (2): ip adddress 10.1.1.10 subnet mask: 255.255.255.0 PIX (3i ip address 208.136.247.214 subnet mask: 255.255.255.0 DSL MODEM (4): ip address 208.136.247.1 subnet mask: 255.255.255.0 PIX Version 4.0.7 enable password 8Ry2YjIyt7RRXU24 encrypted passwd kIQggKv8.UiICW/r encrypted hostname pixfirewall failover names syslog output 20.3 no syslog console interface ethernet outside 10baset interface ethernet inside 10baset ip address inside 10.1.1.10 255.255.255.0 ip address outside 208.136.247.214 255.255.255.0 arp timeout 14400 global 1 208.136.247.214-208.136.247.214 nat 1 0.0.0.0 0.0.0.0 age 10 no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 208.136.247.1 1 route inside 0.0.0.0 0.0.0.0 10.1.1.12 timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00 no snmp-server location no snmp-server contact mtu outside 1500 mtu inside 1500 : end [OK] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=15451t=15451 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Can't ping outside of PIX [7:15205]---- FIXED [7:15578]
Very insightfull, Thanx Pierre-Alex -Original Message- From: cheekin [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 09, 2001 7:03 AM To: Pierre-Alex; [EMAIL PROTECTED] Subject: Re: Can't ping outside of PIX [7:15205] FIXED I was reading the CSPFF and CSPFA course notes earlier this week. Just started to pick up on PIX firewall. My understanding is that a host cannot share the same IP address on the same segment. Therefore I thought I ought to use a different IP address for the global statement. You may want to try out Patrick Ramsey's configuration of using the same outside IP address for the global statement. As for the inside route, I wanted to maintain a single default route. Furthermore, when you sh route, there will be a route pointing to the inside network. That was how I came to the conclusion that you need to change the global statement and remove the inside route statement. cheekin - Original Message - From: Pierre-Alex To: cheekin ; Sent: Wednesday, August 08, 2001 23:35 Subject: RE: Can't ping outside of PIX [7:15205] FIXED I changed the global statement to another IP address and the PC was able to ping on the Internet. I also removed the inside route and the PC was still able to ping ... I am curious. Where did you find this information? I used: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v4/pixcfg/pixc ncfg.htm Pierre-Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of cheekin Sent: Wednesday, August 08, 2001 8:27 AM To: [EMAIL PROTECTED] Subject: Re: Can't ping outside of PIX [7:15205] I think you will need to give a different range of IP address for the global statement. The global statement and the outside interface are using the same ip address. I also think that the route inside statement is not necessary in this case. You can use sh route to display the routing table. PIX gurus, correct me if I am wrong. cheekin - Original Message - From: Pierre-Alex To: Sent: Wednesday, August 08, 2001 11:34 Subject: Can't ping outside of PIX [7:15205] I have spent the all day on the problem below and I still can't see what I did wrong. Can you help? The PC can ping the inside ip address of the firewall The Firewall can ping the default-gateway and anything on the Internet But I cannot get the PC to ping the outside IP address of the firewall (208.136.247.214) or anything outside like (206.26.90.8). |PC|(1)--(2)|PIX|(3)-(4)--DSL MODEM PC (1): ip address 10.1.1.12 subnet mask: 255.255.255.0 default gateway: 10.1.1.10 PIX (2): ip adddress 10.1.1.10 subnet mask: 255.255.255.0 PIX (3i ip address 208.136.247.214 subnet mask: 255.255.255.0 DSL MODEM (4): ip address 208.136.247.1 subnet mask: 255.255.255.0 PIX Version 4.0.7 enable password 8Ry2YjIyt7RRXU24 encrypted passwd kIQggKv8.UiICW/r encrypted hostname pixfirewall failover names syslog output 20.3 no syslog console interface ethernet outside 10baset interface ethernet inside 10baset ip address inside 10.1.1.10 255.255.255.0 ip address outside 208.136.247.214 255.255.255.0 arp timeout 14400 global 1 208.136.247.214-208.136.247.214 nat 1 0.0.0.0 0.0.0.0 age 10 no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 208.136.247.1 1 route inside 0.0.0.0 0.0.0.0 10.1.1.12 timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00 no snmp-server location no snmp-server contact mtu outside 1500 mtu inside 1500 : end [OK] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=15578t=15578 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Can't ping outside of PIX [7:15205]
conduit permit icmp any any -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Pierre-Alex Sent: Tuesday, August 07, 2001 11:34 PM To: [EMAIL PROTECTED] Subject: Can't ping outside of PIX [7:15205] I have spent the all day on the problem below and I still can't see what I did wrong. Can you help? The PC can ping the inside ip address of the firewall The Firewall can ping the default-gateway and anything on the Internet But I cannot get the PC to ping the outside IP address of the firewall (208.136.247.214) or anything outside like (206.26.90.8). |PC|(1)--(2)|PIX|(3)-(4)--DSL MODEM PC (1): ip address 10.1.1.12 subnet mask: 255.255.255.0 default gateway: 10.1.1.10 PIX (2): ip adddress 10.1.1.10 subnet mask: 255.255.255.0 PIX (3i ip address 208.136.247.214 subnet mask: 255.255.255.0 DSL MODEM (4): ip address 208.136.247.1 subnet mask: 255.255.255.0 PIX Version 4.0.7 enable password 8Ry2YjIyt7RRXU24 encrypted passwd kIQggKv8.UiICW/r encrypted hostname pixfirewall failover names syslog output 20.3 no syslog console interface ethernet outside 10baset interface ethernet inside 10baset ip address inside 10.1.1.10 255.255.255.0 ip address outside 208.136.247.214 255.255.255.0 arp timeout 14400 global 1 208.136.247.214-208.136.247.214 nat 1 0.0.0.0 0.0.0.0 age 10 no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 208.136.247.1 1 route inside 0.0.0.0 0.0.0.0 10.1.1.12 timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00 no snmp-server location no snmp-server contact mtu outside 1500 mtu inside 1500 : end [OK] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=15217t=15205 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Can't ping outside of PIX [7:15205]
I think you will need to give a different range of IP address for the global statement. The global statement and the outside interface are using the same ip address. I also think that the route inside statement is not necessary in this case. You can use sh route to display the routing table. PIX gurus, correct me if I am wrong. cheekin - Original Message - From: Pierre-Alex To: Sent: Wednesday, August 08, 2001 11:34 Subject: Can't ping outside of PIX [7:15205] I have spent the all day on the problem below and I still can't see what I did wrong. Can you help? The PC can ping the inside ip address of the firewall The Firewall can ping the default-gateway and anything on the Internet But I cannot get the PC to ping the outside IP address of the firewall (208.136.247.214) or anything outside like (206.26.90.8). |PC|(1)--(2)|PIX|(3)-(4)--DSL MODEM PC (1): ip address 10.1.1.12 subnet mask: 255.255.255.0 default gateway: 10.1.1.10 PIX (2): ip adddress 10.1.1.10 subnet mask: 255.255.255.0 PIX (3i ip address 208.136.247.214 subnet mask: 255.255.255.0 DSL MODEM (4): ip address 208.136.247.1 subnet mask: 255.255.255.0 PIX Version 4.0.7 enable password 8Ry2YjIyt7RRXU24 encrypted passwd kIQggKv8.UiICW/r encrypted hostname pixfirewall failover names syslog output 20.3 no syslog console interface ethernet outside 10baset interface ethernet inside 10baset ip address inside 10.1.1.10 255.255.255.0 ip address outside 208.136.247.214 255.255.255.0 arp timeout 14400 global 1 208.136.247.214-208.136.247.214 nat 1 0.0.0.0 0.0.0.0 age 10 no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 208.136.247.1 1 route inside 0.0.0.0 0.0.0.0 10.1.1.12 timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00 no snmp-server location no snmp-server contact mtu outside 1500 mtu inside 1500 : end [OK] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=15229t=15205 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Can't ping outside of PIX [7:15205]
You can use the same ip address on the outside as yoru global statement... But unless you are allowing icmp on the inside and the outside interface, a ping will not go through... A statement like this would be in order. access-list inside permit icmp any any access-list outside permit icmp any any (this is bad juju and not recommended) remember you also have to have an access group for each interface you want to ACL. So something along these lines would work access-group inside in interface inside access-group outside in interface outside -Patrick cheekin 08/08/01 09:27AM I think you will need to give a different range of IP address for the global statement. The global statement and the outside interface are using the same ip address. I also think that the route inside statement is not necessary in this case. You can use sh route to display the routing table. PIX gurus, correct me if I am wrong. cheekin - Original Message - From: Pierre-Alex To: Sent: Wednesday, August 08, 2001 11:34 Subject: Can't ping outside of PIX [7:15205] I have spent the all day on the problem below and I still can't see what I did wrong. Can you help? The PC can ping the inside ip address of the firewall The Firewall can ping the default-gateway and anything on the Internet But I cannot get the PC to ping the outside IP address of the firewall (208.136.247.214) or anything outside like (206.26.90.8). |PC|(1)--(2)|PIX|(3)-(4)--DSL MODEM PC (1): ip address 10.1.1.12 subnet mask: 255.255.255.0 default gateway: 10.1.1.10 PIX (2): ip adddress 10.1.1.10 subnet mask: 255.255.255.0 PIX (3i ip address 208.136.247.214 subnet mask: 255.255.255.0 DSL MODEM (4): ip address 208.136.247.1 subnet mask: 255.255.255.0 PIX Version 4.0.7 enable password 8Ry2YjIyt7RRXU24 encrypted passwd kIQggKv8.UiICW/r encrypted hostname pixfirewall failover names syslog output 20.3 no syslog console interface ethernet outside 10baset interface ethernet inside 10baset ip address inside 10.1.1.10 255.255.255.0 ip address outside 208.136.247.214 255.255.255.0 arp timeout 14400 global 1 208.136.247.214-208.136.247.214 nat 1 0.0.0.0 0.0.0.0 age 10 no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 208.136.247.1 1 route inside 0.0.0.0 0.0.0.0 10.1.1.12 timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00 no snmp-server location no snmp-server contact mtu outside 1500 mtu inside 1500 : end [OK] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=15283t=15205 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Can't ping outside of PIX [7:15205]
Looks ok to me but I tend to agree with cheekin. Try subnetting to a .128 to divide your IP range in 2 so you have half for the global range and half for the equipment on the LAN. If nothing else, just to see if that eliminates your problem for troubleshooting purposes. - Original Message - From: cheekin To: Sent: Wednesday, August 08, 2001 8:27 AM Subject: Re: Can't ping outside of PIX [7:15205] I think you will need to give a different range of IP address for the global statement. The global statement and the outside interface are using the same ip address. I also think that the route inside statement is not necessary in this case. You can use sh route to display the routing table. PIX gurus, correct me if I am wrong. cheekin - Original Message - From: Pierre-Alex To: Sent: Wednesday, August 08, 2001 11:34 Subject: Can't ping outside of PIX [7:15205] I have spent the all day on the problem below and I still can't see what I did wrong. Can you help? The PC can ping the inside ip address of the firewall The Firewall can ping the default-gateway and anything on the Internet But I cannot get the PC to ping the outside IP address of the firewall (208.136.247.214) or anything outside like (206.26.90.8). |PC|(1)--(2)|PIX|(3)-(4)--DSL MODEM PC (1): ip address 10.1.1.12 subnet mask: 255.255.255.0 default gateway: 10.1.1.10 PIX (2): ip adddress 10.1.1.10 subnet mask: 255.255.255.0 PIX (3i ip address 208.136.247.214 subnet mask: 255.255.255.0 DSL MODEM (4): ip address 208.136.247.1 subnet mask: 255.255.255.0 PIX Version 4.0.7 enable password 8Ry2YjIyt7RRXU24 encrypted passwd kIQggKv8.UiICW/r encrypted hostname pixfirewall failover names syslog output 20.3 no syslog console interface ethernet outside 10baset interface ethernet inside 10baset ip address inside 10.1.1.10 255.255.255.0 ip address outside 208.136.247.214 255.255.255.0 arp timeout 14400 global 1 208.136.247.214-208.136.247.214 nat 1 0.0.0.0 0.0.0.0 age 10 no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 208.136.247.1 1 route inside 0.0.0.0 0.0.0.0 10.1.1.12 timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00 no snmp-server location no snmp-server contact mtu outside 1500 mtu inside 1500 : end [OK] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=15280t=15205 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Can't ping outside of PIX [7:15205]---- FIXED [7:15316]
I changed the global statement to another IP address and the PC was able to ping on the Internet. I also removed the inside route and the PC was still able to ping ... I am curious. Where did you find this information? I used: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v4/pixcfg/pixc ncfg.htm Pierre-Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of cheekin Sent: Wednesday, August 08, 2001 8:27 AM To: [EMAIL PROTECTED] Subject: Re: Can't ping outside of PIX [7:15205] I think you will need to give a different range of IP address for the global statement. The global statement and the outside interface are using the same ip address. I also think that the route inside statement is not necessary in this case. You can use sh route to display the routing table. PIX gurus, correct me if I am wrong. cheekin - Original Message - From: Pierre-Alex To: Sent: Wednesday, August 08, 2001 11:34 Subject: Can't ping outside of PIX [7:15205] I have spent the all day on the problem below and I still can't see what I did wrong. Can you help? The PC can ping the inside ip address of the firewall The Firewall can ping the default-gateway and anything on the Internet But I cannot get the PC to ping the outside IP address of the firewall (208.136.247.214) or anything outside like (206.26.90.8). |PC|(1)--(2)|PIX|(3)-(4)--DSL MODEM PC (1): ip address 10.1.1.12 subnet mask: 255.255.255.0 default gateway: 10.1.1.10 PIX (2): ip adddress 10.1.1.10 subnet mask: 255.255.255.0 PIX (3i ip address 208.136.247.214 subnet mask: 255.255.255.0 DSL MODEM (4): ip address 208.136.247.1 subnet mask: 255.255.255.0 PIX Version 4.0.7 enable password 8Ry2YjIyt7RRXU24 encrypted passwd kIQggKv8.UiICW/r encrypted hostname pixfirewall failover names syslog output 20.3 no syslog console interface ethernet outside 10baset interface ethernet inside 10baset ip address inside 10.1.1.10 255.255.255.0 ip address outside 208.136.247.214 255.255.255.0 arp timeout 14400 global 1 208.136.247.214-208.136.247.214 nat 1 0.0.0.0 0.0.0.0 age 10 no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 208.136.247.1 1 route inside 0.0.0.0 0.0.0.0 10.1.1.12 timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00 no snmp-server location no snmp-server contact mtu outside 1500 mtu inside 1500 : end [OK] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=15316t=15316 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Can't ping outside of PIX [7:15205]
The way I understood his question was he couldn't ping outbound. You can ping outbound by default if you are using NAT. Inbound ping definitely requires access-list or conduits. But outbound works...everything works outbound. - Original Message - From: Farhan Ahmed To: 'Allen May' ; Sent: Wednesday, August 08, 2001 11:18 AM Subject: RE: Can't ping outside of PIX [7:15205] u cannot ping until u put conduit permit statements -Original Message- From: Allen May [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 08, 2001 6:29 PM To: [EMAIL PROTECTED] Subject: Re: Can't ping outside of PIX [7:15205] Looks ok to me but I tend to agree with cheekin. Try subnetting to a .128 to divide your IP range in 2 so you have half for the global range and half for the equipment on the LAN. If nothing else, just to see if that eliminates your problem for troubleshooting purposes. - Original Message - From: cheekin To: Sent: Wednesday, August 08, 2001 8:27 AM Subject: Re: Can't ping outside of PIX [7:15205] I think you will need to give a different range of IP address for the global statement. The global statement and the outside interface are using the same ip address. I also think that the route inside statement is not necessary in this case. You can use sh route to display the routing table. PIX gurus, correct me if I am wrong. cheekin - Original Message - From: Pierre-Alex To: Sent: Wednesday, August 08, 2001 11:34 Subject: Can't ping outside of PIX [7:15205] I have spent the all day on the problem below and I still can't see what I did wrong. Can you help? The PC can ping the inside ip address of the firewall The Firewall can ping the default-gateway and anything on the Internet But I cannot get the PC to ping the outside IP address of the firewall (208.136.247.214) or anything outside like (206.26.90.8). |PC|(1)--(2)|PIX|(3)-(4)--DSL MODEM PC (1): ip address 10.1.1.12 subnet mask: 255.255.255.0 default gateway: 10.1.1.10 PIX (2): ip adddress 10.1.1.10 subnet mask: 255.255.255.0 PIX (3i ip address 208.136.247.214 subnet mask: 255.255.255.0 DSL MODEM (4): ip address 208.136.247.1 subnet mask: 255.255.255.0 PIX Version 4.0.7 enable password 8Ry2YjIyt7RRXU24 encrypted passwd kIQggKv8.UiICW/r encrypted hostname pixfirewall failover names syslog output 20.3 no syslog console interface ethernet outside 10baset interface ethernet inside 10baset ip address inside 10.1.1.10 255.255.255.0 ip address outside 208.136.247.214 255.255.255.0 arp timeout 14400 global 1 208.136.247.214-208.136.247.214 nat 1 0.0.0.0 0.0.0.0 age 10 no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 208.136.247.1 1 route inside 0.0.0.0 0.0.0.0 10.1.1.12 timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00 no snmp-server location no snmp-server contact mtu outside 1500 mtu inside 1500 : end [OK] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=15331t=15205 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Can't ping outside of PIX [7:15205]
Hi all, I'll bow to greater knowledge if I'm wrong, and I may well be, but I didn't think you could use the outside interface address for the global NAT address until much more recently than 4.0.7. If you can spare a couple of IP addresses I would go with: global (outside) 1 208.136.247.215-208.136.247.216 global (outside) 1 208.136.247.217 Gaz Patrick Ramsey wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... You can use the same ip address on the outside as yoru global statement... But unless you are allowing icmp on the inside and the outside interface, a ping will not go through... A statement like this would be in order. access-list inside permit icmp any any access-list outside permit icmp any any (this is bad juju and not recommended) remember you also have to have an access group for each interface you want to ACL. So something along these lines would work access-group inside in interface inside access-group outside in interface outside -Patrick cheekin 08/08/01 09:27AM I think you will need to give a different range of IP address for the global statement. The global statement and the outside interface are using the same ip address. I also think that the route inside statement is not necessary in this case. You can use sh route to display the routing table. PIX gurus, correct me if I am wrong. cheekin - Original Message - From: Pierre-Alex To: Sent: Wednesday, August 08, 2001 11:34 Subject: Can't ping outside of PIX [7:15205] I have spent the all day on the problem below and I still can't see what I did wrong. Can you help? The PC can ping the inside ip address of the firewall The Firewall can ping the default-gateway and anything on the Internet But I cannot get the PC to ping the outside IP address of the firewall (208.136.247.214) or anything outside like (206.26.90.8). |PC|(1)--(2)|PIX|(3)-(4)--DSL MODEM PC (1): ip address 10.1.1.12 subnet mask: 255.255.255.0 default gateway: 10.1.1.10 PIX (2): ip adddress 10.1.1.10 subnet mask: 255.255.255.0 PIX (3i ip address 208.136.247.214 subnet mask: 255.255.255.0 DSL MODEM (4): ip address 208.136.247.1 subnet mask: 255.255.255.0 PIX Version 4.0.7 enable password 8Ry2YjIyt7RRXU24 encrypted passwd kIQggKv8.UiICW/r encrypted hostname pixfirewall failover names syslog output 20.3 no syslog console interface ethernet outside 10baset interface ethernet inside 10baset ip address inside 10.1.1.10 255.255.255.0 ip address outside 208.136.247.214 255.255.255.0 arp timeout 14400 global 1 208.136.247.214-208.136.247.214 nat 1 0.0.0.0 0.0.0.0 age 10 no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 208.136.247.1 1 route inside 0.0.0.0 0.0.0.0 10.1.1.12 timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00 no snmp-server location no snmp-server contact mtu outside 1500 mtu inside 1500 : end [OK] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=15358t=15205 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Can't ping outside of PIX [7:15205]
u cannot ping until u put conduit permit statements -Original Message- From: Allen May [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 08, 2001 6:29 PM To: [EMAIL PROTECTED] Subject: Re: Can't ping outside of PIX [7:15205] Looks ok to me but I tend to agree with cheekin. Try subnetting to a .128 to divide your IP range in 2 so you have half for the global range and half for the equipment on the LAN. If nothing else, just to see if that eliminates your problem for troubleshooting purposes. - Original Message - From: cheekin To: Sent: Wednesday, August 08, 2001 8:27 AM Subject: Re: Can't ping outside of PIX [7:15205] I think you will need to give a different range of IP address for the global statement. The global statement and the outside interface are using the same ip address. I also think that the route inside statement is not necessary in this case. You can use sh route to display the routing table. PIX gurus, correct me if I am wrong. cheekin - Original Message - From: Pierre-Alex To: Sent: Wednesday, August 08, 2001 11:34 Subject: Can't ping outside of PIX [7:15205] I have spent the all day on the problem below and I still can't see what I did wrong. Can you help? The PC can ping the inside ip address of the firewall The Firewall can ping the default-gateway and anything on the Internet But I cannot get the PC to ping the outside IP address of the firewall (208.136.247.214) or anything outside like (206.26.90.8). |PC|(1)--(2)|PIX|(3)-(4)--DSL MODEM PC (1): ip address 10.1.1.12 subnet mask: 255.255.255.0 default gateway: 10.1.1.10 PIX (2): ip adddress 10.1.1.10 subnet mask: 255.255.255.0 PIX (3i ip address 208.136.247.214 subnet mask: 255.255.255.0 DSL MODEM (4): ip address 208.136.247.1 subnet mask: 255.255.255.0 PIX Version 4.0.7 enable password 8Ry2YjIyt7RRXU24 encrypted passwd kIQggKv8.UiICW/r encrypted hostname pixfirewall failover names syslog output 20.3 no syslog console interface ethernet outside 10baset interface ethernet inside 10baset ip address inside 10.1.1.10 255.255.255.0 ip address outside 208.136.247.214 255.255.255.0 arp timeout 14400 global 1 208.136.247.214-208.136.247.214 nat 1 0.0.0.0 0.0.0.0 age 10 no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 208.136.247.1 1 route inside 0.0.0.0 0.0.0.0 10.1.1.12 timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00 no snmp-server location no snmp-server contact mtu outside 1500 mtu inside 1500 : end [OK] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=15323t=15205 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Can't ping outside of PIX [7:15205]---- FIXED [7:15205]
Experience. Those of us that have worked on the PIX line for a number of years think this new-fangled idea of using the outside interface for PAT is pretty slick. We never had that option in the past. One thing looking at your config: I don't know how big your company is, but I would set the xlate timeout to something a little more reasonable than 24 hours. Something like 30 or 60 minutes or even 10 minutes (my choice). Keeping all of those translations around just ties up memory. --- Rik Guyler -Original Message- From: Pierre-Alex [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 08, 2001 8:14 PM To: [EMAIL PROTECTED] Subject: RE: Can't ping outside of PIX [7:15205] FIXED [7:15316] I changed the global statement to another IP address and the PC was able to ping on the Internet. I also removed the inside route and the PC was still able to ping ... I am curious. Where did you find this information? I used: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v4/pixcfg/pixc ncfg.htm Pierre-Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of cheekin Sent: Wednesday, August 08, 2001 8:27 AM To: [EMAIL PROTECTED] Subject: Re: Can't ping outside of PIX [7:15205] I think you will need to give a different range of IP address for the global statement. The global statement and the outside interface are using the same ip address. I also think that the route inside statement is not necessary in this case. You can use sh route to display the routing table. PIX gurus, correct me if I am wrong. cheekin - Original Message - From: Pierre-Alex To: Sent: Wednesday, August 08, 2001 11:34 Subject: Can't ping outside of PIX [7:15205] I have spent the all day on the problem below and I still can't see what I did wrong. Can you help? The PC can ping the inside ip address of the firewall The Firewall can ping the default-gateway and anything on the Internet But I cannot get the PC to ping the outside IP address of the firewall (208.136.247.214) or anything outside like (206.26.90.8). |PC|(1)--(2)|PIX|(3)-(4)--DSL MODEM PC (1): ip address 10.1.1.12 subnet mask: 255.255.255.0 default gateway: 10.1.1.10 PIX (2): ip adddress 10.1.1.10 subnet mask: 255.255.255.0 PIX (3i ip address 208.136.247.214 subnet mask: 255.255.255.0 DSL MODEM (4): ip address 208.136.247.1 subnet mask: 255.255.255.0 PIX Version 4.0.7 enable password 8Ry2YjIyt7RRXU24 encrypted passwd kIQggKv8.UiICW/r encrypted hostname pixfirewall failover names syslog output 20.3 no syslog console interface ethernet outside 10baset interface ethernet inside 10baset ip address inside 10.1.1.10 255.255.255.0 ip address outside 208.136.247.214 255.255.255.0 arp timeout 14400 global 1 208.136.247.214-208.136.247.214 nat 1 0.0.0.0 0.0.0.0 age 10 no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 208.136.247.1 1 route inside 0.0.0.0 0.0.0.0 10.1.1.12 timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00 no snmp-server location no snmp-server contact mtu outside 1500 mtu inside 1500 : end [OK] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=15400t=15205 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
