I suspect the access-list, the intranet ip is 192.168.1.0/24 , but you had given
permission for 192.168.0.0/24 network.
access-list 120 permit icmp any 192.168.0.0
255.255.255.0 echo-reply---so this will allow icmp traffic from any to 192.168.0.0/24
and not to intranet.so try changing that to intranet.let us see if it pings.
cheers
mohamed.
On Tue, 18 Sep 2001 Sven Jansen wrote :
>Hello all,
>
>sorry, I forgot to mention the subject, so I send this
>mail a second time.
>
>I try to configure a PIX515, which has 2 interfaces.
>My problem is, that I cannot start any communication
>from the outside through the firewall.
>Outbound connections are no problem.
>These are some of the syslog messages:
>
>%PIX-6-305002: Translation built for gaddr
>192.168.0.253 to laddr 192.168.1.1
>%PIX-3-106010: Deny inbound udp src
>outside:192.168.0.3/1086 dst inside:192.168.1.1/53
>%PIX-3-106010: Deny inbound udp src
>outside:192.168.0.2/1024 dst inside:192.168.1.1/69
>
>So I tried it with DNS and TFTP, but also with some TCP
>ports.
>Besides, when I check the meaning of system log
>messages in the internet (cisco.com), it tells me
>that 106010 is an 'deny inbound icmp' message.
>
>Here is a sample of my config:
>
>PIX Version 6.0(1)
>nameif ethernet0 outside security0
>nameif ethernet1 inside security100
>hostname pixfirewall
>fixup protocol ftp 21
>fixup protocol http 80
>fixup protocol h323 1720
>fixup protocol rsh 514
>fixup protocol smtp 25
>fixup protocol sqlnet 1521
>fixup protocol sip 5060
>fixup protocol skinny 2000
>names
>name 192.168.1.10 INTRANET
>name 192.168.0.10 DMZ
>access-list 110 permit icmp 192.168.1.0 255.255.255.0
>any echo
>access-list 110 permit ip any any
>access-list 120 permit icmp any 192.168.0.0
>255.255.255.0 echo-reply
>access-list 120 permit ip any any
>interface ethernet0 auto
>interface ethernet1 auto
>ip address outside DMZ 255.255.255.0
>ip address inside INTRANET 255.255.255.0
>global (outside) 1 192.168.0.200-192.168.0.252
>nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>static (inside,outside) 192.168.0.253 192.168.1.1
>netmask 255.255.255.255 0 0
>access-group 120 in interface outside
>access-group 110 in interface inside
>route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
>
>As you can see, after a while of testing, I decided to
>permit all ip traffic.
>The access-lists seem to work, because without the
>'permit icmp' I cannot ping out.
>So there must be the connection between the interface
>and the acl.
>
>Another question I have is, I want to build a explicit
>trust relationship between two
>active directory domains through the firewall.
>Does anybody have a hint how that works?
>
>Thanks in advance for all help,
>
>Sven Jansen
>________________________________________________________-
>_______________
>1.000.000 DM gewinnen - kostenlos tippen -
>http://millionenklick.web.de
>[EMAIL PROTECTED], 8MB Speicher, Verschluesselung -
>http://freemail.web.de
>
>
>_______________________________________________
>Firewalls mailing list
>[EMAIL PROTECTED]
>http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
