1. Can you ping an inside PC, and an public IP address from your PIX? 2. Add "netmask" to the command of "global (outside) 1 x.y.z.66". 3. Can not find commands in your configuration for your purpose 4 and 5. 4. Try to add "conduit permit icmp any any" to permit ICMP packet. I forget whether PIX blocks ICMP packets by default or not. But it doesn't hurt to do a test.
Fei. -----Original Message----- From: Brian Guild [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 7:02 PM To: [EMAIL PROTECTED] Subject: Problems configuring my PIX525 Guys, I am having significant trouble configuring my PIX525 firewall. Clients inside WILL NOT communicate to the outside and vice-versa. I can't ping...I can't do anything at all, even when I hook up directly to one of the interfaces with my laptop. I am wondering if someone could look over my configuration to correct it. Here are my intentions: 1) All "inside" clients will be numbered with class C addresses of 10.x.x.x. 2) All "inside" clients can reach the outside public internet 3) Outside interface will be assigned 1 IP address and all outgoing communications should be sent through that IP 4) Other outside IPs in the range of 76-125 will be able to be statically mapped back to the internal addresses. 5) The DMZ will have addresses in the range of 192.168.x.x and those addresses will be mapped back statically to the following public IPs allocated to the DMZ: x.y.z.70-x.y.z.75. 6) I would like the outside interface to use x.y.z.65 Could someone please take a look at the current running config below and let me know what I am doing wrong? Thank you, Brian PIX Version 6.1(1)110 nameif ethernet0 outside security0 nameif ethernet1 inside security 100 nameif ethernet2 dmz security10 enable password xxxxx encrypted password xxxxx encrypted hostname pixfirewall domain-name body1.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names pager lines 24 interface ethernet0 10full interface ethernet1 100full interface ethernet2 100full mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside x.y.z.65 255.255.255.192 ip address inside 10.0.0.1 255.255.255.0 ip address dmz 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address dmz 0.0.0.0 pdm history enable arp timeout 14400 global (outside) 1 x.y.z.66 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 x.y.z.67 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius http server enable http 10.1.1.10 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat telnet 10.0.0.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 terminal width 80 _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
