Simple config on Pix 501

We have a Cisco Pix 501 Firewall that needs to be configured for a testing network. We know a bit about firewall config and were nearly there but for some reason the Pix went wierd and now it doesnt work, can you help?

The network is the simplest scenario there is:

PC (192.168.11.2) ----------(192.168.11.1) PIX (XXX.XXX.XXX.42)------(XXX.XXX.XXX.46) Router

With PC accessing the internet, thats all we want at the moment.
Easy I hear you say then why is the pix not working!
Here are our inputs:

access-list inbound permit tcp any any                      
access-list inbound permit ip any any                                  
access-list inbound permit udp any any
access-list outbound permit icmp any any

ip address outside xxx.xxx.xxx.42 255.255.255.0                                      
ip address inside 192.168.11.1 255.255.255.0

access-group outbound in interface outside                              
access-group inbound in interface inside

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0  

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.46 1

dhcpd address 192.168.11.2-192.168.11.129 inside
dhcpd dns xxx.xxx.xxx.xxx <- our ISP DNS
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
LVL 1
Gaz3_11Asked:
Who is Participating?
 
LhasaITConnect With a Mentor Commented:
make sure your interface is not shut down bu default, check to see if you have the following command:

interface ethernet0 auto shutdown

If yes   do a "no shut" on it to bring it up
Goodluck
0
 
RPPreacherCommented:
Are you able to ping your router from the PIX?
Can you ping the pix from your LAN?
Are you getting a proper DHCP address on your LAN?
0
 
batry_boyCommented:
I believe that your intent with the following commands is to allow all outbound traffic through the PIX that originates from the 192.168.11.0/24 network:

access-list inbound permit tcp any any                      
access-list inbound permit ip any any                                  
access-list inbound permit udp any any
access-group inbound in interface inside

If this is correct, then I would just remove this ACL from the inside interface since all traffic is implicitly allowed from a higher security level interface to a lower security level interface by default:

no access-group inbound in interface inside

Also, add the following command and then try to ping your router from the PC at 192.168.11.2:

access-list outbound permit icmp any any echo-reply

See if this helps...
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
Gaz3_11Author Commented:
Thanks for the replies guys

The router is un-pingable anyway.

I cannot even ping the pix from the LAN.
The DHCP was working, then it wasnt, now its working again!?

I added the echo-reply instead of the access-group and still no luck.

I also added:
http 192.168.11.0 255.255.255.0 inside - to get the pdm working but this does not work either
0
 
batry_boyCommented:
What do you see when you issue the command "show arp"?  Do you see the xxx.xxx.xxx.46 address of your default gateway?
0
 
Gaz3_11Author Commented:
Yes it was on auto shutdown, I changed it to just auto and the same to ethernet1, I put 100full.
Thanks LhasaIT I completely missed out those commands.
And thanks to everyone for trying.
0
All Courses

From novice to tech pro — start learning today.