Simple config on Pix 501

We have a Cisco Pix 501 Firewall that needs to be configured for a testing network. We know a bit about firewall config and were nearly there but for some reason the Pix went wierd and now it doesnt work, can you help?

The network is the simplest scenario there is:

PC (192.168.11.2) ----------(192.168.11.1) PIX (XXX.XXX.XXX.42)------(XXX.XXX.XXX.46) Router

With PC accessing the internet, thats all we want at the moment.
Easy I hear you say then why is the pix not working!
Here are our inputs:

access-list inbound permit tcp any any                      
access-list inbound permit ip any any                                  
access-list inbound permit udp any any
access-list outbound permit icmp any any

ip address outside xxx.xxx.xxx.42 255.255.255.0                                      
ip address inside 192.168.11.1 255.255.255.0

access-group outbound in interface outside                              
access-group inbound in interface inside

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0  

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.46 1

dhcpd address 192.168.11.2-192.168.11.129 inside
dhcpd dns xxx.xxx.xxx.xxx <- our ISP DNS
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
LVL 1
Gaz3_11Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RPPreacherCommented:
Are you able to ping your router from the PIX?
Can you ping the pix from your LAN?
Are you getting a proper DHCP address on your LAN?
0
batry_boyCommented:
I believe that your intent with the following commands is to allow all outbound traffic through the PIX that originates from the 192.168.11.0/24 network:

access-list inbound permit tcp any any                      
access-list inbound permit ip any any                                  
access-list inbound permit udp any any
access-group inbound in interface inside

If this is correct, then I would just remove this ACL from the inside interface since all traffic is implicitly allowed from a higher security level interface to a lower security level interface by default:

no access-group inbound in interface inside

Also, add the following command and then try to ping your router from the PC at 192.168.11.2:

access-list outbound permit icmp any any echo-reply

See if this helps...
0
Gaz3_11Author Commented:
Thanks for the replies guys

The router is un-pingable anyway.

I cannot even ping the pix from the LAN.
The DHCP was working, then it wasnt, now its working again!?

I added the echo-reply instead of the access-group and still no luck.

I also added:
http 192.168.11.0 255.255.255.0 inside - to get the pdm working but this does not work either
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

LhasaITCommented:
make sure your interface is not shut down bu default, check to see if you have the following command:

interface ethernet0 auto shutdown

If yes   do a "no shut" on it to bring it up
Goodluck
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
batry_boyCommented:
What do you see when you issue the command "show arp"?  Do you see the xxx.xxx.xxx.46 address of your default gateway?
0
Gaz3_11Author Commented:
Yes it was on auto shutdown, I changed it to just auto and the same to ethernet1, I put 100full.
Thanks LhasaIT I completely missed out those commands.
And thanks to everyone for trying.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.