Have you tried a 'wr mem' and a restart? That's what I do to PIXen when
they're behaving strangely.
Offhand, I can't see anything missing in your config. I usually add a PAT
mapping (a single global translation), but it shouldn't be strictly
neccessary.
For your config it would be:
global (outside) 1 192.168.0.199 netmask 255.255.255.0
You could also try adding the netmask command to your other global command,
but it really should get it right, for 192.168 (unless you've changed IP
addresses to protect the innocent?)
Sorry - all voodoo and guesswork.
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> -----Original Message-----
> From: Sven Jansen [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 18, 2001 8:32 PM
> To: [EMAIL PROTECTED]
> Subject: pix - no inbound conns
>
>
> Hello all,
>
> sorry, I forgot to mention the subject, so I send this mail a
> second time.
>
> I try to configure a PIX515, which has 2 interfaces.
> My problem is, that I cannot start any communication from the
> outside through the firewall.
> Outbound connections are no problem.
> These are some of the syslog messages:
>
> %PIX-6-305002: Translation built for gaddr 192.168.0.253 to
> laddr 192.168.1.1
> %PIX-3-106010: Deny inbound udp src outside:192.168.0.3/1086
> dst inside:192.168.1.1/53
> %PIX-3-106010: Deny inbound udp src outside:192.168.0.2/1024
> dst inside:192.168.1.1/69
>
> So I tried it with DNS and TFTP, but also with some TCP ports.
> Besides, when I check the meaning of system log messages in
> the internet (cisco.com), it tells me
> that 106010 is an 'deny inbound icmp' message.
>
> Here is a sample of my config:
>
> PIX Version 6.0(1)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> hostname pixfirewall
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 1720
> fixup protocol rsh 514
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> names
> name 192.168.1.10 INTRANET
> name 192.168.0.10 DMZ
> access-list 110 permit icmp 192.168.1.0 255.255.255.0 any echo
> access-list 110 permit ip any any
> access-list 120 permit icmp any 192.168.0.0 255.255.255.0 echo-reply
> access-list 120 permit ip any any
> interface ethernet0 auto
> interface ethernet1 auto
> ip address outside DMZ 255.255.255.0
> ip address inside INTRANET 255.255.255.0
> global (outside) 1 192.168.0.200-192.168.0.252
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) 192.168.0.253 192.168.1.1 netmask
> 255.255.255.255 0 0
> access-group 120 in interface outside
> access-group 110 in interface inside
> route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
>
> As you can see, after a while of testing, I decided to permit
> all ip traffic.
> The access-lists seem to work, because without the 'permit
> icmp' I cannot ping out.
> So there must be the connection between the interface and the acl.
>
> Another question I have is, I want to build a explicit trust
> relationship between two
> active directory domains through the firewall.
> Does anybody have a hint how that works?
>
> Thanks in advance for all help,
>
> Sven Jansen
About Marconi
____________________________________________________________________
Marconi plc is a global communications and IT company with around
45,000 employees world-wide. Marconi has research and development
facilities in 19 countries, manufacturing operations in 16
countries, and serves customers in over 100 countries. Marconi
offers total communications solutions, key technologies and services
for the carriers, enterprise and the Internet. Marconi plc is listed
on the London Stock Exchange and NASDAQ under the symbol MONI.
____________________________________________________________________
The information contained in this e-mail is confidential. If you are
not the intended recipient, you may not disclose or use the
information in this e-mail or attached documents in any way and we
ask that you please delete this e-mail. The views or opinions
expressed are the author's own and may not reflect the views or
opinions of Marconi. Marconi does not guarantee the integrity of
any e-mails or attached files and we suggest you scan all incoming
e-mails for viruses.
____________________________________________________________________
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
