Well i think i has to do with you static line. your
global address is 192.168.0.253, so your connections
should be hitting that address, which the pix will
xlate to 192.168.1.1.
In your examples you are not sending icmp, you are
sending udp, and you are pointing it to 192.168.1.1.
So ether change your dst addr to 192.168.0.253, or
change your static line to
static (inside,outside) 192.168.1.1 192.168.1.1
netmask 255.255.255.255
xlate this ip to its self.
> > -----Original Message-----
> > From: Sven Jansen [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, September 18, 2001 8:32 PM
> > To: [EMAIL PROTECTED]
> > Subject: pix - no inbound conns
> >
> >
> > Hello all,
> >
> > sorry, I forgot to mention the subject, so I send
> this mail a
> > second time.
> >
> > I try to configure a PIX515, which has 2
> interfaces.
> > My problem is, that I cannot start any
> communication from the
> > outside through the firewall.
> > Outbound connections are no problem.
> > These are some of the syslog messages:
> >
> > %PIX-6-305002: Translation built for gaddr
> 192.168.0.253 to
> > laddr 192.168.1.1
> > %PIX-3-106010: Deny inbound udp src
> outside:192.168.0.3/1086
> > dst inside:192.168.1.1/53
> > %PIX-3-106010: Deny inbound udp src
> outside:192.168.0.2/1024
> > dst inside:192.168.1.1/69
> >
> > So I tried it with DNS and TFTP, but also with
> some TCP ports.
> > Besides, when I check the meaning of system log
> messages in
> > the internet (cisco.com), it tells me
> > that 106010 is an 'deny inbound icmp' message.
> >
> > Here is a sample of my config:
> >
> > PIX Version 6.0(1)
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > hostname pixfirewall
> > fixup protocol ftp 21
> > fixup protocol http 80
> > fixup protocol h323 1720
> > fixup protocol rsh 514
> > fixup protocol smtp 25
> > fixup protocol sqlnet 1521
> > fixup protocol sip 5060
> > fixup protocol skinny 2000
> > names
> > name 192.168.1.10 INTRANET
> > name 192.168.0.10 DMZ
> > access-list 110 permit icmp 192.168.1.0
> 255.255.255.0 any echo
> > access-list 110 permit ip any any
> > access-list 120 permit icmp any 192.168.0.0
> 255.255.255.0 echo-reply
> > access-list 120 permit ip any any
> > interface ethernet0 auto
> > interface ethernet1 auto
> > ip address outside DMZ 255.255.255.0
> > ip address inside INTRANET 255.255.255.0
> > global (outside) 1 192.168.0.200-192.168.0.252
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > static (inside,outside) 192.168.0.253 192.168.1.1
> netmask
> > 255.255.255.255 0 0
> > access-group 120 in interface outside
> > access-group 110 in interface inside
> > route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
> >
> > As you can see, after a while of testing, I
> decided to permit
> > all ip traffic.
> > The access-lists seem to work, because without the
> 'permit
> > icmp' I cannot ping out.
> > So there must be the connection between the
> interface and the acl.
> >
> > Another question I have is, I want to build a
> explicit trust
> > relationship between two
> > active directory domains through the firewall.
> > Does anybody have a hint how that works?
> >
> > Thanks in advance for all help,
> >
> > Sven Jansen
>
>
> About Marconi
>
>
____________________________________________________________________
>
> Marconi plc is a global communications and IT
> company with around
> 45,000 employees world-wide. Marconi has research
> and development
> facilities in 19 countries, manufacturing
> operations in 16
> countries, and serves customers in over 100
> countries. Marconi
> offers total communications solutions, key
> technologies and services
> for the carriers, enterprise and the Internet.
> Marconi plc is listed
> on the London Stock Exchange and NASDAQ under the
> symbol MONI.
>
____________________________________________________________________
>
> The information contained in this e-mail is
> confidential. If you are
> not the intended recipient, you may not disclose or
> use the
> information in this e-mail or attached documents in
> any way and we
> ask that you please delete this e-mail. The views
> or opinions
> expressed are the author's own and may not reflect
> the views or
> opinions of Marconi. Marconi does not guarantee the
> integrity of
> any e-mails or attached files and we suggest you
> scan all incoming
> e-mails for viruses.
>
____________________________________________________________________
>
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
