subject:"RE\: PIX Question \!\!\! \[7\:40465\]"

RE: PIX Question !!! [7:40465]

2002-04-05 Thread Lidiya White


In problems like this you have to enable debug icmp trace to help you
to resolve this issue, rather then guessing what you missed.

What this statement suppose to do:
static (inside,outside) 192.168.2.13 216.6.24.129
 ip address inside 216.6.24.129 255.255.255.192
 route outside 0.0.0.0 0.0.0.0 192.168.2.13

You want that ip address of the inside interface will look like outside
router???
I would use clear static and clear xlate...

You'll never be able to ping 192.168.2.14 ip from the 216.6.24.130 host,
but you should be able to ping .13.

-- Lidiya White 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Avi
Sent: Thursday, April 04, 2002 11:01 AM
To: [EMAIL PROTECTED]
Subject: PIX Question !!! [7:40465]

Hi,

I am facing a problem on PIX 515 as described  below.
Firewall: Cisco PIX 515
Firewall Software Version: 4.4(7)

PIX setup:
-


  H - 216.6.24.130  255.255.255.192
   |
   |Public Accessed Servers(216.6.24.0 - Public
addresses)
   |
   | - 216.6.24.129  255.255.255.192
PIX
   | - 192.168.2.14 /30
   |
   |
   | - 192.168.2.13 /30
  R
   | - 192.168.2.6 /30
   |
   |
   | - 192.168.2.5 /30
  R   (ISP Router)
   |
   |
   |Proxy Server
   |  192.118.52.54

Following is the config:
--
PIX Version 4.4(7)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd AoM2ZahaIYl9kEoj encrypted
hostname nungunungu
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
logging on
no logging timestamp
no logging console
no logging monitor
no logging buffered
no logging trap
logging facility 20
logging queue 512
inerface ethernet0 auto
interface ethernet1 100basetx
mtu outside 1500
mtu inside 1500
ip address outside 192.168.2.14 255.255.255.248
ip address inside 216.6.24.129 255.255.255.192
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
nat (inside) 0 216.6.24.0 255.255.255.0 0 0
static (inside,outside) 192.168.2.13 216.6.24.129 netmask
255.255.255.255 0
0
conduit permit tcp host 216.6.24.177 eq smtp any
conduit permit tcp host 216.6.24.186 eq smtp any
conduit permit tcp any host 192.118.52.54 eq www
conduit permit icmp any any
conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp
conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp-data
conduit permit tcp host 216.6.24.185 host 216.6.24.40 eq smtp
conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq smtp
conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq smtp
conduit permit tcp host 216.6.24.185 host 216.6.24.19 eq 5001
conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq 5001
conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq 5001
conduit permit tcp host 216.6.24.184 host 216.6.24.21 eq 3306
conduit permit tcp host 216.6.24.184 host 216.6.24.28 eq 3306
conduit permit tcp host 216.6.24.10 eq domain any
conduit permit tcp host 192.118.52.54 eq 8080 any
conduit permit tcp host 192.118.52.54 eq 3180 any
conduit permit tcp host 192.118.52.54 eq www any
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
route outside 0.0.0.0 0.0.0.0 192.168.2.13 1
route inside 0.0.0.0 0.0.0.0 216.6.24.129 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community mic-test-03
no snmp-server enable traps
telnet 216.6.24.16 255.255.255.255
telnet timeout 15
terminal width 80

PROBLEM


My problem is frm host 216.6.24.130  I can ping inside interface of PIX,
but
I can't ping outside interface of PIX nor the internal router.
Also i am not able to ping the proxy server.
Sitting on the PIXI  am able to ping inside as well as outside, even the
Proxy server. Also outside hosts are able to reach the host
216.6.24.130.

Can someone pls throw some light on this as to where i am going wrong or
i
am missing on some command.

Ur kind help will  be appreciated a lot.

Thanxs  Rgds,
Avi.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40522t=40465
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Question !!! [7:40465]

2002-04-05 Thread Kent Hundley


Avi,

You have a few things in your config that look strange:

1) static (inside,outside) 192.168.2.13 216.6.24.129 netmask 255.255.255.255

This creates a static with the outside address of 192.168.2.13, which you
indicate is your router's IP address, and an inside address of 216.6.24.129,
which you indicate is your inside PIX interface.  This makes no sense.  A
static translation is used to create a new address on the outside that is
not currently in use by any device to map to an inside end device, such as a
server.  I don't understand what you are trying to do with this command and
this may be the cause of your problem.

2) route inside 0.0.0.0 0.0.0.0 216.6.24.129 1

You are pointing the PIX's inside default route to its own interface?  I
don't see what you are trying to accomplish by doing this, if there is no
inside router you should just leave of the route inside command.

3) You say outside hosts are able to reach 216.6.24.130, do you mean they
are able to ping the host?  If the outside hosts can ping the inside host,
the inside host should be able to ping the outside hosts since you have a
conduit permit icmp any in your config.  If the .130 host is a unix box,
sometimes they try to resolve names during ping, so it may be that your ping
is failing because name lookups are failing.  Just a guess.

It looks like something is not correct with your static command, so I would
fix that first.  Also, you are running a very old version of code at 4.4,
you are 2 major release behind, so there may also be some weird bug present
in this code rev, I would strongly consider upgrading the code to current
levels.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Avi
Sent: Thursday, April 04, 2002 9:01 AM
To: [EMAIL PROTECTED]
Subject: PIX Question !!! [7:40465]


Hi,

I am facing a problem on PIX 515 as described  below.
Firewall: Cisco PIX 515
Firewall Software Version: 4.4(7)

PIX setup:
-


  H - 216.6.24.130  255.255.255.192
   |
   |Public Accessed Servers(216.6.24.0 - Public
addresses)
   |
   | - 216.6.24.129  255.255.255.192
PIX
   | - 192.168.2.14 /30
   |
   |
   | - 192.168.2.13 /30
  R
   | - 192.168.2.6 /30
   |
   |
   | - 192.168.2.5 /30
  R   (ISP Router)
   |
   |
   |Proxy Server
   |  192.118.52.54

Following is the config:
--
PIX Version 4.4(7)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd AoM2ZahaIYl9kEoj encrypted
hostname nungunungu
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
logging on
no logging timestamp
no logging console
no logging monitor
no logging buffered
no logging trap
logging facility 20
logging queue 512
inerface ethernet0 auto
interface ethernet1 100basetx
mtu outside 1500
mtu inside 1500
ip address outside 192.168.2.14 255.255.255.248
ip address inside 216.6.24.129 255.255.255.192
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
nat (inside) 0 216.6.24.0 255.255.255.0 0 0
static (inside,outside) 192.168.2.13 216.6.24.129 netmask 255.255.255.255 0
0
conduit permit tcp host 216.6.24.177 eq smtp any
conduit permit tcp host 216.6.24.186 eq smtp any
conduit permit tcp any host 192.118.52.54 eq www
conduit permit icmp any any
conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp
conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp-data
conduit permit tcp host 216.6.24.185 host 216.6.24.40 eq smtp
conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq smtp
conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq smtp
conduit permit tcp host 216.6.24.185 host 216.6.24.19 eq 5001
conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq 5001
conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq 5001
conduit permit tcp host 216.6.24.184 host 216.6.24.21 eq 3306
conduit permit tcp host 216.6.24.184 host 216.6.24.28 eq 3306
conduit permit tcp host 216.6.24.10 eq domain any
conduit permit tcp host 192.118.52.54 eq 8080 any
conduit permit tcp host 192.118.52.54 eq 3180 any
conduit permit tcp host 192.118.52.54 eq www any
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
route outside 0.0.0.0 0.0.0.0 192.168.2.13 1
route inside 0.0.0.0 0.0.0.0 216.6.24.129 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community mic-test-03
no snmp-server enable traps
telnet 216.6.24.16

RE: PIX Question !!! [7:40465]

RE: PIX Question !!! [7:40465]

2 matches

Site Navigation

Mail list logo

Footer information