[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

PIX 501 behind Cisco 2600- Can't Ping inside IP

Posted on 2009-02-13
35
Medium Priority
?
767 Views
Last Modified: 2012-06-21
Internet -->2600 -->PIX501-->switch--> LAN
I want to be able to set up ip nat on the router for two of my servers on my internal  network that is behind the pix , however, I am struggling with not being able to ping those server from my c2600 router.  

I am able to get out to the Internet  


Rounter
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ROUTER1
!
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 64.xx.xx.xxx 255.255.255.240
 ip broadcast-address 64.xx.xx.xx
 ip nat outside
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 ip address 172.16.0.1 255.255.255.252
 ip broadcast-address 172.16.0.3
 ip nat inside
 duplex auto
 speed auto
!
ip nat inside source list 10 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 64.xxx.xxx.xxx
ip route 172.16.1.0 255.255.255.192 172.16.0.2
ip route 172.16.1.0 255.255.255.192 172.16.1.1
no ip http server
!
access-list 10 permit 172.16.1.0 0.0.0.255
access-list 10 permit 172.16.0.0 0.0.0.255
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
 password 7 
 login
 speed 115200
line aux 0
 password 7 
 login
line vty 0 4
 password 7 
 login
!
end
 
---------------------------------------------------------------------------------------------------------
PIX Version 6.3(4)             
logo
interface ethernet0 autorent user profile, and t
interface ethernet1 100full                           
nameif ethernet0 outside security0 
logging         Enable logging f
nameif ethernet1 inside security100          
mac-list        Add a li
enable password Xa40Nt0afIZZLC2N encrypted                                          
fixup protocol h323 ras 1718-1719face                             
fixup protocol http 80                  
mro
fixup protocol pptp 1723multicast route         
fixup protocol rsh 514           
mtu       
fixup protocol rtsp 554m Transmission Unit) fo
fixup protocol sip 5060                       
fixup protocol sip udp 5060          
multicast       
fixup protocol skinny 2000nterface                  
fixup protocol smtp 25          
name       
fixup protocol sqlnet 1521an IP address             
fixup protocol tftp 69               
nameif
names    A
access-list allow_inbound permit tcp any interface outside eq 33        
                                                      
icmp permit any insidee Protocol            
mtu outside 1500                
mtu inside 1500   Create an ob
ip address outside 172.16.0.2 255.255.255.252, etc                                        
ip address inside 172.16.1.1 255.255.255.192und        Create an outbound access list   
ip audit info action alarm                
pager    
ip audit attack action alarmr pagination                
pdm location 172.16.1.0 255.255.255.192 inside    Change Telnet console access password     
pdm history enable                  
arp timeout 14400          Configu
global (outside) 1 interface                            
nat (inside) 1 172.16.1.0 255.255.255.192 0 0m specifie                                   
timeout xlate 3:00:00isplay privilege leve
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
quit            Quit from the current mode, end configuration or logout     
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.1.0 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.16.1.2-172.16.1.20 inside
dhcpd dns 172.16.1.52 172.16.1.55
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:b3e04a8e137e34d67a6710cb0433d980

Open in new window

0
Comment
Question by:Wayne-
  • 18
  • 17
35 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23635154
Since you are doing PAT on the PIX as well, ICMP to the inside is not possible.  You can either disable PAT on the PIX and let the router directly connect to the 172.16.1.0 subnet.  If you want to continue to use PAT on the PIX, you will need to setup a static NAT on the router translating to the outside IP of the PIX and then setup a static on the PIX as well to the real IP address.
0
 

Author Comment

by:Wayne-
ID: 23635418
when I disable PAT on the Pix will I need to setup a static route on my firewall to the public Ip on the router for my internal users to get out to the internet
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23635521
No, you will need to add a static to let the real IP's go through to the router and the router already has a route to the 172.16.1.0 subnet.  I don't see it in the config but it must have a default route if you are working now.  Does it have this "route outside 0.0.0.0 0.0.0.0 172.16.0.1"?


To change from PAT to NAT on PIX:

static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.192
no global (outside) 1 interface                            
no nat (inside) 1 172.16.1.0 255.255.255.192 0

Also, add an access-list to the PIX to allow ICMP and the inbound connections to the server.

access-list allow_inbound permit icmp any any
access-list allow_inbound permit tcp any host 172.16.1.x eq 80   <--or whatever port

access-group allow_inbound in interface outside

Then, on the router, add the NAT statement:

conf t
ip nat inside source static tcp 172.16.1.x 80 interface FastEthernet0/0 80   <--or whatever port
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 

Author Comment

by:Wayne-
ID: 23635644
Yes is does have a default route to that ip


pixfirewall(config)#  show route
        outside 0.0.0.0 0.0.0.0 172.16.0.1 1 OTHER static
        outside 172.16.0.0 255.255.255.252 172.16.0.2 1 CONNECT static
        inside 172.16.1.0 255.255.255.192 172.16.1.1 1 CONNECT static
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23635665
Yeah, I figured.  The above config should work to allow access to the server as well as allow you to ping from the router to the LAN systems.
0
 

Author Comment

by:Wayne-
ID: 23635673
is there a command to disable Pat on the Pix
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23635691
static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.192
no global (outside) 1 interface                            
no nat (inside) 1 172.16.1.0 255.255.255.192 0
0
 

Author Comment

by:Wayne-
ID: 23635787
access-list allow_inbound permit tcp any host 172.16.1.x eq 80  <--or whatever port
show this be the IP of the server that I'm trying reach are should that be the starting ip address of my subnet  (as well on the router)
Then, on the router, add the NAT statement:

conf t
ip nat inside source static tcp 172.16.1.x 80 interface FastEthernet0/0 80   <--or whatever port
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23635796
Yes. 172.16.1.x is the server IP address.  Yes, same on the router.
0
 

Author Comment

by:Wayne-
ID: 23635959
Now that I've done that is it ok to do
ip nat inside source static  private ip  Public ip..............so that I can make server accessible  from the internert
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23635970
Yeah, use the fa0/0 interface for the public IP though like this:

ip nat inside source static tcp 172.16.1.x 80 interface FastEthernet0/0 80
0
 

Author Comment

by:Wayne-
ID: 23636258
so I should write
Private ip 172.16.1.52
Public IP 64.XX.XX.XX

ip nat inside source static tcp 172.16.1.52  64.xx.xx.xx 80 interface FastEthernet0/0 80
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23636320
Actually, like this:

ip nat inside source static tcp 172.16.1.52 80 interface FastEthernet0/0 80
0
 

Author Comment

by:Wayne-
ID: 23636412
I'm a little confused I have a pool of public IPs that I need to nat  64.xx.xx.xx - 64.xx.xx.xx /28
I need to nat out the Exchange Sever with a pulbic IP to get mail thru
I need to nat out the Vpn server to allow connect from the out side

If  I do (ip nat inside source static tcp 172.16.1.52 80 interface FastEthernet0/0 80) how will it know which public IP to send packet to
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23636441
Ahh, okay, sorry.  I thought you only had the one IP :)

Then, yes, you are correct:

ip nat inside source static tcp 172.16.1.52 64.xx.xx.xx  <--free IP
ip nat inside source static tcp 172.16.1.x 64.xx.xx.yy  <--another free IP
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23636452
Oops, copy/paste error:

ip nat inside source static 172.16.1.52 64.xx.xx.xx  <--free IP
ip nat inside source static 172.16.1.x 64.xx.xx.yy  <--another free IP
0
 

Author Comment

by:Wayne-
ID: 23636685
Not sure if I doing something wrong I have nat that one private to public address
ip nat inside source static 172.16.1.52 64.xx.xx.xx
That one server is not able to get out to the internet and I am not about to ping that public ip from the outside

All other computer are still able to get out to the internet but not that one server 172.16.1.52

Do I need to do somthing on the firewall also
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23636720
Can you post the current configs?
0
 

Author Comment

by:Wayne-
ID: 23636866
ROUTER---------
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ROUTER1
!
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 64.18.xx.xx 255.255.255.240
 ip broadcast-address 64.18.xx.xx
 ip nat outside
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 ip address 172.16.0.1 255.255.255.252
 ip broadcast-address 172.16.0.3
 ip nat inside
 duplex auto
 speed auto
!
ip nat inside source list 10 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 64.18.xx.xx
ip route 172.16.1.0 255.255.255.192 172.16.0.2
ip route 172.16.1.0 255.255.255.192 172.16.1.1
no ip http server
!
access-list 10 permit 172.16.1.0 0.0.0.255
access-list 10 permit 172.16.0.0 0.0.0.255
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
 password 7
 login
 speed 115200
line aux 0
 password 7
 login
line vty 0 4
 password 7
 login

________________________________________________________________________________
PIX
PIX Version 6.3(4)            
   
interface ethernet0 auto] | [<level>] [interval
interface ethernet1 100full                          
nameif ethernet0 outside security0route-map use:                    
nameif ethernet1 inside security100 deny|permit {any | <prefix> <mask>
enable password Xa40Nt0afIZZLC2N encrypted                                          
passwd 2KFQnbNIdI.2KYOU encrypteds-list permit tcp any host 172.16
hostname pixfirewall                    
domain-name ciscopix.com                
ERROR:
fixup protocol dns maximum-length 512                        
Usage:  [no]
[no] access-list <id>
fixup protocol http 80                      
fixup protocol pptp 1723ss-list <id> compiled  
fixup protocol rsh 514    
[no] access-list
fixup protocol rtsp 554emark <text>          
fixup protocol sip 5060                  
[no]
fixup protocol sip udp 5060e-num>] deny|permit        
fixup protocol skinny 2000                
        <
fixup protocol smtp 25<protocol_obj_grp_id>
fixup protocol sqlnet 1521                        

fixup protocol tftp 69 interface <if_name> |
namest-gro
access-list allow_inbound permit tcp any interface outside eq 3389                                  
        [<operator> <port> [<p
pager lines 24group <service
icmp permit any traceroute outside                                  
icmp permit any outside <dip> <dmask> | interf
icmp permit any echo-reply outside                                  
ip address inside 172.16.1.1 255.255.255.192                                            
ip audit info action alarm | interface <if_name> | o
ip audit attack action alarmid>                        
pdm location 172.16.1.0 255.255.255.192 inside      
        <dip> <dmask> | interface <if_
pdm history enablep <network_obj_grp
arp timeout 14400                
global (outside) 1 interface                  
       
nat (inside) 1 172.16.1.0 255.255.255.192 0 0_id>]                                        
route outside 0.0.0.0 0.0.0.0 172.16.0.1 1efault] | [<level>] [interval <secs>]]    
timeout xlate 3:00:00                    
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.1.0 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.16.1.2-172.16.1.20 inside
dhcpd dns 172.16.1.52 172.16.1.55
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:b3e04a8e137e34d67a6710cb0433d980
pixfirewall(config)#

!_______________________________________________________________________________
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23636884
Is that your new config?  It looks the same as the old...
0
 

Author Comment

by:Wayne-
ID: 23636899
when I take out the config   ip nat inside source static 172.16.1.52 64.xx.xx.xx   I am able to get to the outside again
0
 

Author Comment

by:Wayne-
ID: 23636927
that is new one I didn't change anything on the router but that one thing you said
Then, on the router, add the NAT statement:

conf t
ip nat inside source static tcp 172.16.1.x 80 interface FastEthernet0/0 80   <--or whatever port
0
 

Author Comment

by:Wayne-
ID: 23636951
I version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname TNGROUTER1
!
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 64.xx.xx.xx255.255.255.240
 ip broadcast-address 64.1xx.xx.xx
 ip nat outside
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 ip address 172.16.0.1 255.255.255.252
 ip broadcast-address 172.16.0.3
 ip nat inside
 duplex auto
 speed auto
!
ip nat inside source list 10 interface FastEthernet0/0 overload
ip nat inside source static tcp 172.16.1.52 3389 interface FastEthernet0/0 3389
ip nat inside source static tcp 172.16.1.61 25 interface FastEthernet0/0 80
ip nat inside source static 172.16.1.15 64.183.219.77
ip classless
ip route 0.0.0.0 0.0.0.0 64.183.219.65
ip route 172.16.1.0 255.255.255.192 172.16.0.2
ip route 172.16.1.0 255.255.255.192 172.16.1.1
no ip http server
!
access-list 10 permit 172.16.1.0 0.0.0.255
access-list 10 permit 172.16.0.0 0.0.0.255
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
 password 7 131112110302013D3
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23636988
Please post the current PIX config also.  You made the PAT changes, right?  Also, what servers and what ports do you want to be accessible from the outside?
0
 

Author Comment

by:Wayne-
ID: 23637036
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Xa40Nt0afIZZLC2N encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
 access-list allow_inbound permit tcp any interface outside eq 3389
access-list allow_inbound permit icmp any any
access-list allow_inbound permit tcp any host 172.16.1.0 eq www
access-list allow_inbound permit tcp any host 172.16.1.61 eq smtp
access-list allow_ping permit icmp any any echo-reply
access-list allow_ping permit icmp any any source-quench
access-list allow_ping permit icmp any any time-exceeded
pager lines 24
icmp permit any traceroute outside
icmp permit any outside
icmp permit any echo-reply outside
icmp permit any router-solicitation outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 172.16.0.2 255.255.255.252
ip address inside 172.16.1.1 255.255.255.192
ip audit info action alarm
ip audit attack action alarm
pdm location 172.16.1.0 255.255.255.192 inside
pdm history enable
arp timeout 14400
ccess-group allow_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.1.0 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
console timeout 0
dhcpd address 172.16.1.2-172.16.1.20 inside
dhcpd dns 172.16.1.52 172.16.1.55
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:2e7ae916b901b088258a8ec0d66ad87b
0
 

Author Comment

by:Wayne-
ID: 23637055
I was needing
server 172.16.1.61 port 25
 server  172.16.1.52 port 3389
server  72.16.1.51 port 1723
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23637081
Okay, maybe it just didn't show up in the post but is this in your config:

static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.192

If not, add this:

conf t
static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.192
access-list allow_inbound permit tcp any host 172.16.1.52 eq 3389

On the router:

no ip nat inside source static tcp 172.16.1.52 3389 interface FastEthernet0/0 3389
ip nat inside source static 172.16.1.52 64.xx.xx.76   <--or a free IP in your pool to dedicate to .52

WIth these changes, you should be able to access the 172.16.1.52 server from the outside via RDP.

0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 23637102
For the other servers:

access-list allow_inbound permit tcp any host 172.16.1.51 eq 1723
access-list allow_inbound permit gre any host 172.16.1.51

On the router:

conf t
no ip nat inside source static tcp 172.16.1.61 25 interface FastEthernet0/0 80
no ip nat inside source static 172.16.1.15 64.183.219.77

ip nat inside source static 172.16.1.61 64.xx.xx.75
ip nat inside source static 172.16.1.51 64.xx.xx.77
0
 

Author Comment

by:Wayne-
ID: 23637871
Still not able to ping are RDP into server       posting config

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Xa40Nt0afIZZLC2N encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
access-list allow_inbound permit tcp any interface outside eq 3389
access-list allow_inbound permit icmp any any
access-list allow_inbound permit tcp any host 172.16.1.0 eq www
access-list allow_inbound permit tcp any host 172.16.1.61 eq smtp
access-list allow_inbound permit tcp any host 172.16.1.52 eq 3389
access-list allow_ping permit icmp any any echo-reply
access-list allow_ping permit icmp any any source-quench
access-list allow_ping permit icmp any any time-exceeded
pager lines 24
icmp permit any traceroute outside
icmp permit any outside
icmp permit any echo-reply outside
icmp permit any router-solicitation outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 172.16.0.2 255.255.255.252
ip address inside 172.16.1.1 255.255.255.192
ip audit info action alarm
ip audit attack action alarm
pdm location 172.16.1.0 255.255.255.192 inside
pdm history enable
static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.192 0 0
access-group allow_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.1.0 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.1.0 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.16.1.2-172.16.1.20 inside
dhcpd dns 172.16.1.52 172.16.1.55
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:21067eff6ff420fc62d1e64b46c59dfa
pixfirewall(config)#

-----------------------------------------------------

version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname TNGROUTER1
!
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 64.xx.xx.66 255.255.255.240
 ip broadcast-address 64.xx.xx.79
 ip nat outside
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 ip address 172.16.0.1 255.255.255.252
 ip broadcast-address 172.16.0.3
 ip nat inside
 duplex auto
 speed auto
!
ip nat inside source list 10 interface FastEthernet0/0 overload
ip nat inside source static 172.16.1.52 64.xx.xx.68
ip classless
ip route 0.0.0.0 0.0.0.0 64.xx.xx.xx
ip route 172.16.1.0 255.255.255.192 172.16.0.2
ip route 172.16.1.0 255.255.255.192 172.16.1.1
no ip http server
!
access-list 10 permit 172.16.1.0 0.0.0.255
access-list 10 permit 172.16.0.0 0.0.0.255
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
 password 7
 login
 speed 115200
line aux 0
 password 7
 login
line vty 0 4
 password 7
 login
!
end

TNGROUTER1#
0
 

Author Comment

by:Wayne-
ID: 23637970
I am able to ping from the router but not from the outside
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.61, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
TNGROUTER1#ping 64.xx.xx.68

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 64.xx.xx.68, timeout is 2 seconds:
!!!!!
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23638635
The config looks okay.  You can RDP to 172.16.1.52 from the inside, right?  

Are you able to browse the Internet from the 172.16.1.52 machine?  If so, connect to http://www.whatismyip.com and ,make sure it returns the 64.xx.xx.68 address.
0
 

Author Comment

by:Wayne-
ID: 23638831
Yes I can RDP from the inside but cannot from the  outside
I ping public IP from the Pix I get no repsonse

pixfirewall(config)# ping 64.183.219.68
        64.xxx.xxx.68 NO response received -- 1000ms
        64.xxx.xxx.68 NO response received -- 1000ms
        64.xxx.xxx.68 NO response received -- 1000ms
pixfirewall(config)# ping 172.16.1.52
        172.16.1.52 response received -- 0ms
        172.16.1.52 response received -- 0ms
        172.16.1.52 response received -- 0ms
pixfirewall(config)#
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23638865
Yeah, that is normal, you won't be able to from the PIX.

Are you able to browse the Internet from the 172.16.1.52 machine?  If so, connect to http://www.whatismyip.com and ,make sure it returns the 64.xx.xx.68 address.
0
 

Author Comment

by:Wayne-
ID: 23638871
Not sure what happen took config out and put it back in and it seems to be working now
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23638878
Excellent.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month19 days, 9 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question