how-to block ads
|
cybernet99
join:2005-09-26
Delta, BC
1 edit | Problems with Pix 506e configuration I would sure like some help with a new PIx506e config I am working on.
I can't pass any traffic through it, must be missing something pretty simple, just can't see it for looking.
Here is the config, thanks in advance.
Tim
=========================================
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname PIX506
domain-name dasal.prv
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_acl permit icmp any any
access-list inside_acl permit tcp any any eq www
access-list inside_acl permit tcp any any eq https
access-list inside_acl permit udp any any eq domain
access-list inside_acl permit tcp any any eq domain
access-list inside_acl permit tcp any any eq pop3
access-list inside_acl permit tcp any any eq ftp
access-list inside_acl permit tcp any any eq 37
access-list inside_acl permit tcp any any eq nntp
access-list inside_acl permit tcp any any eq whois
access-list inside_acl permit udp any any eq time
access-list inside_acl permit tcp any any eq 3389
access-list outside_acl permit icmp any any
access-list outside_acl deny tcp any any eq 135
access-list outside_acl permit tcp any host xxx.xxx.0.201 eq ftp
access-list outside_acl permit tcp any host xxx.xxx.0.201 eq domain
access-list outside_acl permit udp any host xxx.xxx.0.201 eq domain
access-list outside_acl permit tcp any host xxx.xxx.0.201 eq 3389
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.0.202 255.255.252.0
ip address inside 192.168.0.254 255.255.240.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name IDS_Attack attack action alarm drop reset
ip audit name IDS_Info info action alarm
ip audit interface outside IDS_Info
ip audit interface outside IDS_Attack
ip audit interface inside IDS_Info
ip audit interface inside IDS_Attack
ip audit info action alarm
ip audit attack action alarm
ip audit signature 1000 disable
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
pdm location 192.168.0.175 255.255.255.255 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.0.201 netmask 255.255.252.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xxx.xxx.0.201 192.168.0.175 netmask 255.255.255.255 0 0
access-group outside_acl in interface outside
access-group inside_acl in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:e097fa922eedd7c8a33dc67b7acd9c4a
: end
[OK]
========================================= | |
|  
Jugaad
join:2002-04-28
MARS!!
| Re: Problems with Pix 506e configuration 
try this
clear global
global (outside) 1 interface
If this works then either your outside router is not routing correctly or there are stale arp entries on outside directly connected devices like switches , router etc.
--
Not able to get online? Good!! Go out and meet friends  | |
| | cybernet99
join:2005-09-26
Delta, BC
| Re: Problems with Pix 506e configuration I had that in the back of my mind that I might need to get the ISP to log into their router and clear the arp cache. I just couldn't see what it was that I was missing. I still might be missing something, but it looks ok.
Thanks for the reply, I'll give that a try later tonight.
Cheers,
Tim | |
| | | |
|
