pix - no inbound conns

Sven Jansen Tue, 18 Sep 2001 03:35:27 -0700
Hello all,

sorry, I forgot to mention the subject, so I send this mail a second time.

I try to configure a PIX515, which has 2 interfaces.
My problem is, that I cannot start any communication from the outside through the 
firewall.
Outbound connections are no problem.
These are some of the syslog messages:

%PIX-6-305002: Translation built for gaddr 192.168.0.253 to laddr 192.168.1.1
%PIX-3-106010: Deny inbound udp src outside:192.168.0.3/1086 dst inside:192.168.1.1/53
%PIX-3-106010: Deny inbound udp src outside:192.168.0.2/1024 dst inside:192.168.1.1/69

So I tried it with DNS and TFTP, but also with some TCP ports.
Besides, when I check the meaning of system log messages in the internet (cisco.com), 
it tells me 
that 106010 is an 'deny inbound icmp' message.

Here is a sample of my config:

PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.1.10 INTRANET
name 192.168.0.10 DMZ
access-list 110 permit icmp 192.168.1.0 255.255.255.0 any echo
access-list 110 permit ip any any
access-list 120 permit icmp any 192.168.0.0 255.255.255.0 echo-reply
access-list 120 permit ip any any
interface ethernet0 auto
interface ethernet1 auto
ip address outside DMZ 255.255.255.0
ip address inside INTRANET 255.255.255.0
global (outside) 1 192.168.0.200-192.168.0.252
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.0.253 192.168.1.1 netmask 255.255.255.255 0 0
access-group 120 in interface outside
access-group 110 in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

As you can see, after a while of testing, I decided to permit all ip traffic.
The access-lists seem to work, because without the 'permit icmp' I cannot ping out.
So there must be the connection between the interface and the acl.

Another question I have is, I want to build a explicit trust relationship between two
active directory domains through the firewall.
Does anybody have a hint how that works?

Thanks in advance for all help,

Sven Jansen
_______________________________________________________________________
1.000.000 DM gewinnen - kostenlos tippen - http://millionenklick.web.de
[EMAIL PROTECTED], 8MB Speicher, Verschluesselung - http://freemail.web.de


_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
pix - no inbound conns

Reply via email to
