To allow outside -> inside traffic, you need to have a static
translation and an accompanying access list.

Can you provide logs?

Thus spake Brian Guild ([EMAIL PROTECTED]):

> Guys,
> 
> I am having significant trouble configuring my PIX525 firewall.  Clients
> inside WILL NOT communicate to the outside and vice-versa.  I can't ping...I
> can't do anything at all, even when I hook up directly to one of the
> interfaces with my laptop.  I am wondering if someone could look over my
> configuration to correct it.  Here are my intentions:
> 
> 1) All "inside" clients will be numbered with class C addresses of 10.x.x.x.
> 2) All "inside" clients can reach the outside public internet
> 3) Outside interface will be assigned 1 IP address and all outgoing
> communications should be sent through that IP
> 4) Other outside IPs in the range of 76-125 will be able to be statically
> mapped back to the internal addresses.
> 5) The DMZ will have addresses in the range of 192.168.x.x and those
> addresses will be mapped back statically to the following public IPs
> allocated to the DMZ: x.y.z.70-x.y.z.75.
> 6) I would like the outside interface to use x.y.z.65
> 
> Could someone please take a look at the current running config below and let
> me know what I am doing wrong?
> 
> Thank you,
> 
> Brian
> 
> PIX Version 6.1(1)110
> nameif ethernet0 outside security0
> nameif ethernet1 inside security 100
> nameif ethernet2 dmz security10
> enable password xxxxx encrypted
> password xxxxx encrypted
> hostname pixfirewall
> domain-name body1.com
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 1720
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> names
> pager lines 24
> interface ethernet0 10full
> interface ethernet1 100full
> interface ethernet2 100full
> mtu outside 1500
> mtu inside 1500
> mtu dmz 1500
> ip address outside x.y.z.65 255.255.255.192
> ip address inside 10.0.0.1 255.255.255.0
> ip address dmz 192.168.0.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> no failover
> failover timeout 0:00:00
> failover poll 15
> failover ip address outside 0.0.0.0
> failover ip address inside 0.0.0.0
> failover ip address dmz 0.0.0.0
> pdm history enable
> arp timeout 14400
> global (outside) 1 x.y.z.66
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> route outside 0.0.0.0 0.0.0.0 x.y.z.67 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 si
> p 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> http server enable
> http 10.1.1.10 255.255.255.255 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> no sysopt route dnat
> telnet 10.0.0.0 255.255.255.0 inside
> telnet timeout 5
> ssh timeout 5
> terminal width 80
> 
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls

Reply via email to