Re: pix 501 config query

From: Martin Kayes (nospam@nospam.com)
Date: 08/20/02 

From: "Martin Kayes" <nospam@nospam.com>
Date: Tue, 20 Aug 2002 08:53:49 +0100

Hi,

The default config for a PIX is to allow traffic initiated on the 'inside'
interface to flow to the 'outside' interface by doing not much more than
configuring IP addresses. Here are some pointers that might help;

1] Have you setup a 'nat 0' entry? Something like this: 'nat (inside) 0
192.168.10.0 255.255.255.0 0 0', you will need this since you are
effectively not doing NAT on the PIX.

2] To run a traceroute from the outside to the inside you need to setup
conduits allowing UPD and ICMP (not TCP)

4] Once the PIX is configured okay there is no need for any conduits to be
configured unless you need to let something specific through from the
outside such as smtp to your mail server.

5] Are you using the Linux NAT/Router because it is something you really
want in place? The PIX can do the NAT & Routing for you if you want to
simplify the installation.

Let me know if you need any more help.

Regards,

Martin

"Network Data Solutions Ltd" <nobody@anywhere.com> wrote in message
news:u6V79.4207$Jb4.119533@newsfep2-gui...
> yo guys, i would really appreciate any help you can offer...
>
> here is a diagram - http://www.cyberneticsonline.co.uk/pix.jpg
>
> i am trying to setup pix 501 to route traffic out of but not in to lan -
no
> nat going on
>
> inside address is 192.168.10.0/24 outside address is 10.10.10.0/24
>
> outside address is 10.10.10.1 and i have a linux box at 10.10.10.2 (I have
> added a static route to the linux box to route 192.168.10.0 via 10.10.10.1
> (otherwise it would send it out ppp interface)
>
> for testing purposes i have added to pix config CONDUIT PERMIT TCP ANY ANY
>
> when i ping linux box eth interface from lan I get no response.. i have
> tried DEBUG ICMP TRACE on pix console but i only get REQUEST and not REPLY
> data - it seems like the linux box is not sending ping requests back to
the
> pix although if i traceroute from linux box i see packet leave via eth0
>
> i have been trying on and off to get this thing working since MAY 2002!!
>
> anyone have an ideas? - anyone wanna see my pix config?
>
>
>
>

Relevant Pages

  • RE: [fw-wiz] ? re: PIX port translation config
    ... The PIX should have no problem with a static NAT where the 'gaddr' isn't local to the interface it's being translated on, no matter how unnatural it seems. ... > interfaces with security levels that make this a straightforward config. ... > The application needs to access web services on a nonstandard port. ...
    (Firewall-Wizards)
  • Re: PIX 501 Verizon Infospeed DSL
    ... When you connect PIX 501 you cannot get to internet - correct? ... PIX 501 PPPOE config is incorrect or incomplete ... See Cisco doc "Configuring the PPPoE Client on a Cisco Secure PIX ... !--- Define the VPDN group that you use for PPPoE. ...
    (comp.dcom.sys.cisco)
  • RE: [fw-wiz] ? re: PIX port translation config
    ... however inorder to perform the port mapping you need to use the following ... Also make sure you do not have 'sysopt noproxyarp dmz' defined or the pix ... wont proxy arp on that interface. ... > and need assistence with the config. ...
    (Firewall-Wizards)
  • Re: PIX 501 Verizon Infospeed DSL
    ... When you connect PIX 501 you cannot get to internet - correct? ... PIX 501 PPPOE config is incorrect or incomplete ... See Cisco doc "Configuring the PPPoE Client on a Cisco Secure PIX ... !--- Define the VPDN group that you use for PPPoE. ...
    (comp.dcom.sys.cisco)
  • Re: have PIX with VPN, need to obtain isakmp key
    ... Maybe if we use TFTP to copy the startup config to a server that will ... possible we need to get the existing isakmp key from the PIX. ... You've not clearly stated whether you are referring to the RSA keys used ... referring to a pre-shared key. ...
    (comp.dcom.sys.cisco)