?
Solved

NAT on cisco pix

Posted on 2007-10-09
6
Medium Priority
?
383 Views
Last Modified: 2010-04-09
Hi there,

I am using a CISCO pix 506E as a firewall between a dsl router and my LAN, I would like to get out the the internet using a PC inside the LAN, the problem is; I can't ping the outside interface of the firewall from the PC I can only ping the inside interface. I guess I need to setup NAT? Can someone one help?

Thanks!

Here's the conf

IX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list inside_access_in permit icmp any any echo-reply log
access-list inside_access_in permit tcp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.2 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inside_access_in in interface inside
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
0
Comment
Question by:aaresearch
  • 3
  • 3
6 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 1500 total points
ID: 20046238
>I can't ping the outside interface of the firewall from the PC
Correct, and you never will. This is a design "feature" of the PIX.

What you don't have is a default route out...
 route outside 0.0.0.0 0.0.0.0 192.168.1.1

And you can remove the acl from the interface
  no access-group inside_access_in in interface inside

You have restricted outgoing traffic to tcp only, where DNS uses udp and so you have effectively blocked dns. Default behavior is to allow all outgoing traffic without an acl applied.
If you want to be able to ping hosts on the outside, add this:
 access-list icmp_in permit icmp any any echo-reply
 access-group icmp_in in interface outside

0
 

Author Comment

by:aaresearch
ID: 20049732
Thanks for the comment Irmoore, I added those command and still can't ping the router from the inside host any idea? Thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20051153
I would suggest putting the router in bridge mode and let the PIX get the public IP, but you should be able to get out. What is the router's IP supposed to be? 192.168.1.254? That is the IP that you should use as the route outside.
Can you ping the router from the PIX itself?
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:aaresearch
ID: 20052352
I had to add this command
global (outside) 1 192.168.1.2-192.168.1.254 netmask 255.255.255.0
it works now, thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20052751
You should not have had to add that because you already have this, and it is all you need:
 global (outside) 1 interface
0
 

Author Comment

by:aaresearch
ID: 20055648
I think that did not work because it included the interface IP, may be it's was something else then.

Thanks
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month16 days, 3 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question