Firewall Wizards mailing list archives

RE: PIX 520 Help.....

From: "Payne, Patrick" <Patrick.Payne () Select com>
Date: Wed, 22 Aug 2001 09:57:36 -0400
I agree that the global statement should be changed as described below.  I
just wanted to add that, as of PIX 5.2, you actually can use the interface
address for the PAT address (Cisco terminology for a many to one NAT
address) in the global statement by using the new keyword "interface".
Syntax is now:

global [(if_name)] nat_id {global_ip [-global_ip] [netmask global_mask]} |
interface

More details at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/config/com
mands.htm#xtocid1604925

Pat


Message: 9
From: "Sonya Gilly" <sgilly () servicom2000 com>
To: "R. Corona" <goniners () home com>, <firewall-wizards () nfr com>
Subject: RE: [fw-wiz] PIX 520 Help.....
Date: Tue, 21 Aug 2001 13:46:43 +0200

Hello Ross,

In the "global (outside) 1" command you need to configure the public IP
address you will use when going to Internet, something similar to the
following:

        global (outside) 1 65.8.165.xx

As Pixes can't do NAT with their own IP address, you will need an additional
address.

Hope this helps,
Sonya

-----Mensaje original-----
De: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com]En nombre de R. Corona
Enviado el: lunes, 20 de agosto de 2001 15:05
Para: firewall-wizards () nfr com
Asunto: [fw-wiz] PIX 520 Help.....


Hello,

Could anyone offer me a bit of advice?  I have a PIX-520 (PIX OS ver
5.1(2))that I'm trying to get set up in a home lab (a work in progress).
Here is a rough diagram of my humble network topology.

Computer --------> Switch ---------> PIX 520-----------> Internet
192.168.1.25      no assigned IP    inside 192.168.1.1     65.8.168.1
255.255.255.0                                255.255.255.0     255.255.255.0
                                                   outside 65.8.168.98
                                                       255.255.255.0

I'm trying to be able to access the internet via NAT from my
192.168.1.25 box.  If I try pinging outside to the net I get no reply
whatsoever.  I am able to ping the PIX inside interface (192.168.1.1)
from my box (192.168.1.25).  I'm also able to ping from my PIX
(192.168.1.1) to my box (192.168.1.25).  Furthermore, when I console
into the PIX unit I can ping the internet (via outside interface) with
no problems.  I've copied my write t & icmp debug trace below, in hopes
that someone may be able to see what's keeping this from working.


----------------------------------

pixfirewall(config)# wr t
Building configuration...
: Saved
:
PIX Version 5.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
nameif ethernet3 dmz2 security75
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_in permit icmp any any
access-list acl_out permit icmp any any
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
logging buffered debugging
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
ip address outside 65.8.165.98 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip address dmz1 192.168.2.1 255.255.255.0
ip address dmz2 192.168.3.1 255.255.255.0
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz1 0.0.0.0
failover ip address dmz2 0.0.0.0
arp timeout 14400
global (outside) 1 192.168.1.10-192.168.1.100 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 65.8.234.1 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp identity hostname
telnet timeout 5
terminal width 80
Cryptochecksum:f7e04a2f1b968e9d4be1ece9ef53fdd9
: end
[OK]

--------------------------

Debug icmp trace command

Outbound ICMP echo request (len 32 id 2 seq 3072) 192.168.1.25 >
192.168.1.10 >
4.2.2.1
Outbound ICMP echo request (len 32 id 2 seq 3328) 192.168.1.25 >
192.168.1.10 >
4.2.2.1
Outbound ICMP echo request (len 32 id 2 seq 3584) 192.168.1.25 >
192.168.1.10 >
4.2.2.1

--------------------------

If there's any other info that'd be helpful tell me please, I'll provide
it.

Everyone I really appreciate your help....

Thanks a lot,

Ross
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:

PIX 520 Help..... R. Corona (Aug 20)
- Re: PIX 520 Help..... Avishai Wool (Aug 22)
- RE: PIX 520 Help..... Sonya Gilly (Aug 22)
- <Possible follow-ups>
- RE: PIX 520 Help..... Payne, Patrick (Aug 23)