To allow outside -> inside traffic, you need to have a static translation and an accompanying access list.
Can you provide logs? Thus spake Brian Guild ([EMAIL PROTECTED]): > Guys, > > I am having significant trouble configuring my PIX525 firewall. Clients > inside WILL NOT communicate to the outside and vice-versa. I can't ping...I > can't do anything at all, even when I hook up directly to one of the > interfaces with my laptop. I am wondering if someone could look over my > configuration to correct it. Here are my intentions: > > 1) All "inside" clients will be numbered with class C addresses of 10.x.x.x. > 2) All "inside" clients can reach the outside public internet > 3) Outside interface will be assigned 1 IP address and all outgoing > communications should be sent through that IP > 4) Other outside IPs in the range of 76-125 will be able to be statically > mapped back to the internal addresses. > 5) The DMZ will have addresses in the range of 192.168.x.x and those > addresses will be mapped back statically to the following public IPs > allocated to the DMZ: x.y.z.70-x.y.z.75. > 6) I would like the outside interface to use x.y.z.65 > > Could someone please take a look at the current running config below and let > me know what I am doing wrong? > > Thank you, > > Brian > > PIX Version 6.1(1)110 > nameif ethernet0 outside security0 > nameif ethernet1 inside security 100 > nameif ethernet2 dmz security10 > enable password xxxxx encrypted > password xxxxx encrypted > hostname pixfirewall > domain-name body1.com > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 1720 > fixup protocol rsh 514 > fixup protocol rtsp 554 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol sip 5060 > fixup protocol skinny 2000 > names > pager lines 24 > interface ethernet0 10full > interface ethernet1 100full > interface ethernet2 100full > mtu outside 1500 > mtu inside 1500 > mtu dmz 1500 > ip address outside x.y.z.65 255.255.255.192 > ip address inside 10.0.0.1 255.255.255.0 > ip address dmz 192.168.0.1 255.255.255.0 > ip audit info action alarm > ip audit attack action alarm > no failover > failover timeout 0:00:00 > failover poll 15 > failover ip address outside 0.0.0.0 > failover ip address inside 0.0.0.0 > failover ip address dmz 0.0.0.0 > pdm history enable > arp timeout 14400 > global (outside) 1 x.y.z.66 > nat (inside) 1 0.0.0.0 0.0.0.0 0 0 > route outside 0.0.0.0 0.0.0.0 x.y.z.67 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 > 0:05:00 si > p 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server RADIUS protocol radius > http server enable > http 10.1.1.10 255.255.255.255 inside > no snmp-server location > no snmp-server contact > snmp-server community public > no snmp-server enable traps > floodguard enable > no sysopt route dnat > telnet 10.0.0.0 255.255.255.0 inside > telnet timeout 5 > ssh timeout 5 > terminal width 80 > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
