Glenn - You have a static NAT mapping, but do you have the appropriate access list specified to allow the traffic in? Can you provide us with some more details (i.e. a sanitized config and what you're trying to let in)? As far as why it's not blocking returning packets, it's most likely the "statefulness". If you've allowed an outbound connection, the PIX maintains a state table for each connection, and will allow the appropriate traffic related to that connection (the reply) back in. This sometimes needs a little help depending on the protocol with a fixup command. With some more details, I could probably be of more help.
Regards, Brad -----Original Message----- From: Glenn English [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2003 6:50 PM To: 'Security-Basics' Subject: Some Cisco PIX newbie questions I got a 506E (first experience with Cisco) last Friday, and I'm learning how to use it with the 172.16.0.146/28 (a LAN around the building) as the Internet and 192.168.82.40/29 (my workstation) as the protected LAN. (And an old Mac SE/30 as the terminal.) Configuring from the terminal works, telnet works, https works, tftp works, the Java PDM pretty much works, and connecting from inside to outside works. But I can't figure out how to get through the firewall in the other direction. There's a static map from an "Internet" IP to my workstation, and the PIX' log shows a connection attempt. But what I specifically permit is being denied. Is the anti-spoofing blocking it? If so, why is it not blocking packets returning to the PAT address? -- Glenn English [EMAIL PROTECTED] --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
