access-group "name" in interface "if_name" I garantee this will do it for you. > > From: "Albert Lu" > Date: 2003/02/20 Thu AM 10:10:09 EST > To: [EMAIL PROTECTED] > Subject: RE: Traffic thru PIX [7:63347] > > Hi, > > You say you can't ping through pix. I imagine you mean from a PC on the > inside network to the internet address on the outside network. Did you check > your xlate table if it's doing the translation? (ie. show xlate). I also > notice that you have a VPN, make sure that the address you ping isn't in the > subnet that you define for the VPN nat0 and for interesting traffic. > > Looking at your ping results, it looks like you can ping hosts in the inside > and outside interfaces. So you just have to figure out why your pix is > stopping your traffic. > > Albert > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Tunji Suleiman > Sent: Thursday, February 20, 2003 4:27 PM > To: [EMAIL PROTECTED] > Subject: Traffic thru PIX [7:63347] > > > Hello All, > > Can someone pls tell me how I can allow pings and other traffic thru the > PIX? I've added both access-list and conduits for testing. Can ping from pix > to a test PC on LAN, to Internet router and to UUNet DNS but not from test > PC thru PIX as per below: > > PIX# wr t > Building configuration... > : Saved > : > PIX Version 6.1(2) > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > enable password J470/UhJVN.5DRKT encrypted > passwd J470/UhJVN.5DRKT encrypted > hostname PIX > domain-name pixdomain.com > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 1720 > fixup protocol rsh 514 > fixup protocol rtsp 554 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol sip 5060 > fixup protocol skinny 2000 > names > name 10.250.77.3 testpc > name 66.120.182.121 gateway > access-list nat0 permit ip 10.250.77.0 255.255.255.0 10.250.0.0 255.255.0.0 > access-list nat0 permit ip 10.250.77.0 255.255.255.0 10.249.0.0 255.255.0.0 > access-list oxfordhub permit ip 10.250.77.0 255.255.255.0 10.250.4.0 > 255.255.255 > .0 > access-list oxfordhub permit ip 10.250.77.0 255.255.255.0 10.249.48.0 > 255.255.24 > 0.0 > access-list ipalcohub permit ip 10.250.77.0 255.255.255.0 10.250.3.0 > 255.255.255 > .0 > access-list ipalcohub permit ip 10.250.77.0 255.255.255.0 10.249.32.0 > 255.255.24 > 0.0 > access-list arlhub permit ip 10.250.77.0 255.255.255.0 10.250.0.0 > 255.255.255.0 > access-list arlhub permit ip 10.250.77.0 255.255.255.0 10.249.64.0 > 255.255.240.0 > > access-list arlington permit ip 10.250.77.0 255.255.255.0 10.250.2.0 > 255.255.255 > .0 > access-list arlington permit ip 10.250.77.0 255.255.255.0 10.249.16.0 > 255.255.24 > 0.0 > access-list richmond permit ip 10.250.77.0 255.255.255.0 10.250.75.0 > 255.255.255 > .0 > access-list aclout permit icmp any any > pager lines 24 > logging console debugging > interface ethernet0 auto > interface ethernet1 auto > mtu outside 1500 > mtu inside 1500 > ip address outside 66.120.182.122 255.255.255.248 > ip address inside 10.250.77.1 255.255.255.0 > ip audit info action alarm > ip audit attack action alarm > pdm history enable > arp timeout 14400 > global (outside) 1 66.120.182.123 netmask 255.255.255.248 > nat (inside) 0 access-list nat0 > nat (inside) 1 0.0.0.0 0.0.0.0 0 0 > access-group aclout in interface outside > conduit permit icmp any any > conduit permit tcp any any > route outside 0.0.0.0 0.0.0.0 gateway 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 > 0:05:00 si > p 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server RADIUS protocol radius > http server enable > http 10.250.78.3 255.255.255.255 inside > http 10.250.77.2 255.255.255.255 inside > no snmp-server location > no snmp-server contact > snmp-server community public > no snmp-server enable traps > floodguard enable > sysopt connection permit-ipsec > no sysopt route dnat > crypto ipsec transform-set strong3 esp-3des esp-sha-hmac > crypto map cmap 1 ipsec-isakmp > crypto map cmap 1 match address oxfordhub > crypto map cmap 1 set peer 217.33.153.3 > crypto map cmap 1 set transform-set strong3 > crypto map cmap 2 ipsec-isakmp > crypto map cmap 2 match address ipalcohub > crypto map cmap 2 set peer 216.37.39.66 > crypto map cmap 2 set transform-set strong3 > crypto map cmap 3 ipsec-isakmp > crypto map cmap 3 match address arlhub > crypto map cmap 3 set peer 206.154.225.2 > crypto map cmap 3 set transform-set strong3 > crypto map cmap 4 ipsec-isakmp > crypto map cmap 4 match address arlington > crypto map cmap 4 set peer 65.204.31.2 > crypto map cmap 4 set transform-set strong3 > crypto map cmap 5 ipsec-isakmp > crypto map cmap 5 match address richmond > crypto map cmap 5 set peer 195.172.96.66 > crypto map cmap 5 set transform-set strong3 > crypto map cmap interface outside > isakmp enable outside > isakmp key ******** address 217.33.153.3 netmask 255.255.255.255 > isakmp key ******** address 216.37.39.66 netmask 255.255.255.255 > isakmp key ******** address 208.171.213.2 netmask 255.255.255.255 > isakmp key ******** address 65.204.31.2 netmask 255.255.255.255 > isakmp key ******** address 195.172.96.66 netmask 255.255.255.255 > isakmp policy 10 authentication pre-share > isakmp policy 10 encryption 3des > isakmp policy 10 hash sha > isakmp policy 10 group 1 > isakmp policy 10 lifetime 3600 > telnet 10.250.77.0 255.255.255.0 inside > telnet timeout 60 > ssh timeout 5 > terminal width 80 > Cryptochecksum:91a83ee76d6bfefd0155f5f7f2181f6c > : end > [OK] > PIX# > PIX# ping gateway > gateway response received -- 0ms > gateway response received -- 0ms > gateway response received -- 0ms > PIX# ping 198.6.1.1 > 198.6.1.1 response received -- 650ms > 198.6.1.1 response received -- 660ms > 198.6.1.1 response received -- 640ms > PIX# ping 198.6.1.1 > 198.6.1.1 response received -- 700ms > 198.6.1.1 response received -- 640ms > 198.6.1.1 response received -- 640ms > PIX# ping testpc > testpc response received -- 0ms > testpc response received -- 0ms > testpc response received -- 0ms > PIX# > > TIA. > > > > > > > > > _________________________________________________________________ > Protect your PC - get McAfee.com VirusScan Online > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63428&t=63347 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
