Skip to main content

PIX 515 connectivity problems

More
18 years 6 months ago #14495 by thrasher80
i have not been able to find the problem in this config. my outside port can ping outside addresses and my inside port can ping internal addresses..... but they will not go through here is the config



PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password akF2Fvd/6W9Y3YZ7 encrypted
passwd akF2Fvd/6W9Y3YZ7 encrypted
hostname pluto
domain-name timcomputer.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list out-in permit tcp any any eq ssh
access-list out-in permit tcp any any eq 10000
access-list out-in permit tcp any any eq www
access-list out-in permit tcp any any eq nntp
access-list out-in permit tcp any any eq pop3
access-list out-in permit tcp any any eq pop2
access-list out-in permit tcp any any eq 7256
access-list out-in permit udp any any eq 109
access-list out-in permit udp any any eq 110
access-list out-in permit udp any any eq domain
access-list out-in permit tcp any any eq domain
access-list out-in permit tcp any any eq 3128
access-list out-in permit tcp any any eq 20000
access-list out-in permit tcp any host 64.65.203.66 eq smtp
access-list out-in permit tcp any any eq 995
access-list out-in permit udp any any eq 995
access-list out-in permit udp any any eq 7258
access-list out-in permit udp any any eq 554
access-list out-in permit udp any any eq 5800
access-list out-in permit udp any any eq 5900
access-list out-in permit udp any any eq 1241
access-list out-in permit udp any any eq 20
access-list out-in permit udp any any eq 21
access-list out-in permit udp any any eq 5080
access-list out-in permit udp any any eq 25
access-list out-in permit tcp any any eq ftp-data
access-list out-in permit tcp any any eq ftp
access-list out-in permit tcp any any eq 5080
access-list out-in permit tcp any any eq smtp
access-list out-in permit tcp any any eq 11371
access-list out-in permit tcp any any eq 2222
access-list out-in permit udp any any eq 2222
access-list allow_ping permit icmp any any echo-reply
access-list allow_ping permit icmp any any source-quench
access-list allow_ping permit icmp any any unreachable
access-list allow_ping permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 64.115.101.146 255.255.255.248
ip address inside 10.0.0.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 64.115.101.146
nat (inside) 1 10.0.0.0 255.255.255.0 0 0
access-group out-in in interface outside
access-group allow_ping in interface inside
route outside 0.0.0.0 0.0.0.0 64.115.101.144 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
terminal width 80

please help!!
More
18 years 6 months ago #14565 by ramasamy
Hi,

From inside you cannot ping the outside interface of the PIX and Vice versa. To ping the hosts in the outside interface from inside you have to allow the echo Type 8 also

access-list allow_ping permit icmp any any echo

or

remove all the " allow_ping " access list and give

access-list allow_ping permit icmp any any
Time to create page: 0.112 seconds