RE: PIX Help
Make sure the translation is in the xlate table ( sh xlate ). If not ping out from the inside host then check it again. Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Austin Sent: Thursday, November 09, 2000 12:50 PM To: [EMAIL PROTECTED] Subject: PIX Help I am using a static mapping on the pix for an inside illegal address to an outside legal address. I want to allow the inside machine to be pinged from the outside as well as allow http traffic to that machine. Lets say the inside address is 10.1.1.5 and the internet legal address is 45.33.20.5 This is what I did: static (inside, outside) 45.33.20.5 10.1.1.5 conduit permit icmp host 45.33.20.5 any conduit permit tcp host 45.33.20.5 eq www any I cannot ping the inside machine from the internet with this config. Please help. Thanks. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Help
Not working .. it is translated ... ""Plambeck, Todd"" <[EMAIL PROTECTED]> wrote in message 616662531243D411887000805F65999503C341@HTSCORPPDC">news:616662531243D411887000805F65999503C341@HTSCORPPDC... > Make sure the translation is in the xlate table ( sh xlate ). If not ping > out from the inside host then check it again. > > Todd > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Austin > Sent: Thursday, November 09, 2000 12:50 PM > To: [EMAIL PROTECTED] > Subject: PIX Help > > > I am using a static mapping on the pix for an inside illegal address to an > outside legal address. > I want to allow the inside machine to be pinged from the outside as well as > allow http traffic to that machine. > Lets say the inside address is 10.1.1.5 and the internet legal address is > 45.33.20.5 > This is what I did: > > static (inside, outside) 45.33.20.5 10.1.1.5 > conduit permit icmp host 45.33.20.5 any > conduit permit tcp host 45.33.20.5 eq www any > > I cannot ping the inside machine from the internet with this config. > Please help. > > Thanks. > > > _ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Help
Also check your "outbound" statements. The default is to allow all traffic from inside. It can be configured to deny all traffic as follows: outbound 1 deny 0.0.0.0 0.0.0.0 1-65535 udp outbound 1 deny 0.0.0.0 0.0.0.0 1-65535 tcp Then permit statements open up only the desired flows. If your config is similar then make sure that your host is allowed to reply. > -Original Message- > From: Austin [mailto:[EMAIL PROTECTED]] > Sent: Thursday, November 09, 2000 2:55 PM > To: [EMAIL PROTECTED] > Subject: Re: PIX Help > > > Not working .. it is translated ... > > ""Plambeck, Todd"" <[EMAIL PROTECTED]> wrote in message > 616662531243D411887000805F65999503C341@HTSCORPPDC">news:616662531243D411887000805F65999503C341@HTSCORPPDC... > > Make sure the translation is in the xlate table ( sh xlate > ). If not ping > > out from the inside host then check it again. > > > > Todd > > > > -Original Message- > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > > Austin > > Sent: > Thursday, November 09, 2000 12:50 PM > > To: [EMAIL PROTECTED] > > Subject: PIX Help > > > > > > I am using a static mapping on the pix for an inside > illegal address to an > > outside legal address. > > I want to allow the inside machine to be pinged from the > outside as well > as > > allow http traffic to that machine. > > Lets say the inside address is 10.1.1.5 and the internet > legal address is > > 45.33.20.5 > > This is what I did: > > > > static (inside, outside) 45.33.20.5 10.1.1.5 > > conduit permit icmp host 45.33.20.5 any > > conduit permit tcp host 45.33.20.5 eq www any > > > > I cannot ping the inside machine from the internet with this config. > > Please help. > > > > Thanks. > > > > > > _ > > FAQ, list archives, and subscription info: > > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to > [EMAIL PROTECTED] > > > > _ > > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to > [EMAIL PROTECTED] > > > > > _ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct > and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Help
How do I make sure my host is allowed to reply? Is there a config that I need to put on the PIX? I do want all traffic from the inside going out. Thanks. "Daniel Cotts" <[EMAIL PROTECTED]> wrote in message 303479FA060CD211B893F805A88AA10C61@EXCHANGE1">news:303479FA060CD211B893F805A88AA10C61@EXCHANGE1... > Also check your "outbound" statements. The default is to allow all traffic > from inside. It can be configured to deny all traffic as follows: > outbound 1 deny 0.0.0.0 0.0.0.0 1-65535 udp > outbound 1 deny 0.0.0.0 0.0.0.0 1-65535 tcp > Then permit statements open up only the desired flows. If your config is > similar then make sure that your host is allowed to reply. > > > -Original Message- > > From: Austin [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, November 09, 2000 2:55 PM > > To: [EMAIL PROTECTED] > > Subject: Re: PIX Help > > > > > > Not working .. it is translated ... > > > > ""Plambeck, Todd"" <[EMAIL PROTECTED]> wrote in message > > 616662531243D411887000805F65999503C341@HTSCORPPDC">news:616662531243D411887000805F65999503C341@HTSCORPPDC... > > > Make sure the translation is in the xlate table ( sh xlate > > ). If not ping > > > out from the inside host then check it again. > > > > > > Todd > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of > > > Austin > > > Sent: > > Thursday, November 09, 2000 12:50 PM > > > To: [EMAIL PROTECTED] > > > Subject: PIX Help > > > > > > > > > I am using a static mapping on the pix for an inside > > illegal address to an > > > outside legal address. > > > I want to allow the inside machine to be pinged from the > > outside as well > > as > > > allow http traffic to that machine. > > > Lets say the inside address is 10.1.1.5 and the internet > > legal address is > > > 45.33.20.5 > > > This is what I did: > > > > > > static (inside, outside) 45.33.20.5 10.1.1.5 > > > conduit permit icmp host 45.33.20.5 any > > > conduit permit tcp host 45.33.20.5 eq www any > > > > > > I cannot ping the inside machine from the internet with this config. > > > Please help. > > > > > > Thanks. > > > > > > > > > _ > > > FAQ, list archives, and subscription info: > > > http://www.groupstudy.com/list/cisco.html > > > Report misconduct and Nondisclosure violations to > > [EMAIL PROTECTED] > > > > > > _ > > > FAQ, list archives, and subscription info: > > http://www.groupstudy.com/list/cisco.html > > > Report misconduct and Nondisclosure violations to > > [EMAIL PROTECTED] > > > > > > > > > _ > > FAQ, list archives, and subscription info: > > http://www.groupstudy.com/list/cisco.html > > Report misconduct > > and Nondisclosure violations to [EMAIL PROTECTED] > > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Help
By default all outbound traffic is allowed unless specifically denied. My first post assumed that someone else may have configured the PIX and that it might be denying traffic. To verify if that might be true I showed how it could be done. If you are the only person configuring that PIX then you don't need to worry about the point that I made. Do you have any other PCs behind the PIX that are using static translations and are working? Is there an internal router? Can internal users access your server? > -Original Message- > From: Austin [mailto:[EMAIL PROTECTED]] > Sent: Thursday, November 09, 2000 3:57 PM > To: [EMAIL PROTECTED] > Subject: Re: PIX Help > > > How do I make sure my host is allowed to reply? > Is there a config that I need to put on the PIX? > I do want all traffic from the inside going out. > Thanks. > "Daniel Cotts" <[EMAIL PROTECTED]> wrote in message > 303479FA060CD211B893F805A88AA10C61@EXCHANGE1">news:303479FA060CD211B893F805A88AA10C61@EXCHANGE1... > > Also check your "outbound" statements. The default is to > allow all traffic > > from inside. It can be configured to deny all traffic as follows: > > outbound 1 deny 0.0.0.0 0.0.0.0 1-65535 udp > > outbound 1 deny 0.0.0.0 0.0.0.0 1-65535 tcp > > Then permit statements open up only the desired flows. If > your config is > > similar then make sure that your host is allowed to reply. > > > > > -Original Message- > > > From: Austin [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, November 09, 2000 2:55 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: PIX Help > > > > > > > > > Not working .. it is translated ... > > > > > > ""Plambeck, Todd"" <[EMAIL PROTECTED]> wrote in message > > > 616662531243D411887000805F65999503C341@HTSCORPPDC">news:616662531243D411887000805F65999503C341@HTSCORPPDC... > > > > Make sure the translation is in the xlate table ( sh xlate > > > ). If not ping > > > > out from the inside host then check it again. > > > > > > > > Todd > > > > > > > > -Original Message- > > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]]On Behalf Of > > > > Austin > > > > Sent: > > > Thursday, November 09, 2000 12:50 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: PIX Help > > > > > > > > > > > > I am using a static mapping on the pix for an inside > > > illegal address to an > > > > outside legal address. > > > > I want to allow the inside machine to be pinged from the > > > outside as well > > > as > > > > allow http traffic to that machine. > > > > Lets say the inside address is 10.1.1.5 and the internet > > > legal address is > > > > 45.33.20.5 > > > > This is what I did: > > > > > > > > static (inside, outside) 45.33.20.5 10.1.1.5 > > > > conduit permit icmp host 45.33.20.5 any > > > > conduit permit tcp host 45.33.20.5 eq www any > > > > > > > > I cannot ping the inside machine from the internet with > this config. > > > > Please help. > > > > > > > > Thanks. > > > > > > > > > > > > _ > > > > FAQ, list archives, and subscription info: > > > > http://www.groupstudy.com/list/cisco.html > > > > Report misconduct and Nondisclosure violations to > > > [EMAIL PROTECTED] > > > > > > > > _ > > > > FAQ, list archives, and subscription info: > > > http://www.groupstudy.com/list/cisco.html > > > > Report misconduct and Nondisclosure violations to > > > [EMAIL PROTECTED] > > > > > > > > > > > > > _ > > > FAQ, list archives, and subscription info: > > > http://www.groupstudy.com/list/cisco.html > > > Report misconduct > > > and Nondisclosure violations to [EMAIL PROTECTED] > > > > > > > _ > > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to > [EMAIL PROTECTED] > > > > > _ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct > and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Help
--- Austin <[EMAIL PROTECTED]> wrote: > I am using a static mapping on the pix for an inside illegal address > to an > outside legal address. > I want to allow the inside machine to be pinged from the outside as > well as > allow http traffic to that machine. > Lets say the inside address is 10.1.1.5 and the internet legal > address is > 45.33.20.5 > This is what I did: > > static (inside, outside) 45.33.20.5 10.1.1.5 > conduit permit icmp host 45.33.20.5 any > conduit permit tcp host 45.33.20.5 eq www any > > I cannot ping the inside machine from the internet with this config. > Please help. > > Thanks. > What are your global commands? Do a show global and send them in. Also, whenever making changes do a write mem and then clear xlate Rgds Ben = Ben Lovegrove, CCNP (+ Security) Redspan Solutions Ltd http://www.redspan.com http://www.bensbookmarks.com Cisco: Products, Training, Jobs, Study Guides, Resources. Do You Yahoo!? Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk or your free @yahoo.ie address at http://mail.yahoo.ie _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
