Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Pix 515 Can't ping outside of the LAN

Posted on 2009-04-08
5
Medium Priority
?
1,007 Views
Last Modified: 2012-05-06
I have a client who has a PIX 515 that I didn't setup. I am pretty rusty with my Cisco skills. I was trying to open a port for their new BES. Now, I have discovered that I can't ping anything outside of the LAN. I am not sure if I setup the BES port correctly either. I added it to an access-list. below is the config.
domain-name domain.com
enable password ZL*******20n encrypted
names
!
interface Ethernet0
 speed 10
 duplex half
 nameif outside
 security-level 0
 ip address 12.x.x.195 255.255.255.240
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.1.55.3 255.255.255.0
!
interface Ethernet2
 speed 100
 duplex full
 nameif DMZ
 security-level 50
 ip address 192.168.233.1 255.255.255.0
!
passwd ********** encrypted
boot system flash:/pix711.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.com
access-list 101 extended permit ip 192.168.233.0 255.255.255.0 10.1.55.0 255.255
.255.0
access-list 100 extended permit ip 10.1.55.0 255.255.255.0 192.168.233.0 255.255
.255.0
access-list 100 extended permit ip 10.1.55.0 255.255.255.0 10.1.254.0 255.255.25
5.0
access-list split_tunnel extended permit ip 10.1.55.0 255.255.255.0 10.1.254.0 2
55.255.255.0
access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.40
 
access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.41
 
access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.42
 
access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.43
 
access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.44
 
access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.45
 
access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.46
 
access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.47
 
access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.48
 
access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.49
 
access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.50
 
access-list outside_in extended permit tcp host 208.x.x.130 host x.x.64.40
 eq pptp
access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.41
 eq pptp
access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.42
 eq pptp
access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.43
 eq pptp
access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.44
 eq pptp
access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.45
 eq pptp
access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.46
 eq pptp
access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.47
 eq pptp
access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.48
 eq pptp
access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.49
 eq pptp
access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.50
 eq pptp
access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.51
 
access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.51
 eq pptp
access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.52
 
access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.52
 eq pptp
access-list outside_in extended permit tcp any host 12.x.x.194 eq 3400
access-list outside_in extended permit tcp any host 12.x.x.194 eq pptp
access-list outside_in extended permit tcp any host 12.x.x.194 eq 3389
access-list outside_in extended permit tcp any host 12.x.x.194 eq https
access-list outside_in extended permit tcp any host 12.x.x.194 eq www
access-list outside_in extended permit tcp any host 12.x.x.194 eq smtp
access-list outside_in extended permit tcp any host 12.x.x.194 range 3390 340
9
access-list outside_in extended permit tcp any host 12.x.x.194 eq ftp
access-list outside_in extended permit tcp any host 12.x.x.196 eq citrix-ica
access-list outside_in extended permit tcp any host 12.x.x.196 eq www
access-list outside_in extended permit udp any host 12.x.x.196 eq 1604
access-list outside_in extended permit tcp any host 12.x.x.194 eq 1755
access-list outside_in extended permit tcp any host 12.x.x.194 eq 7007
access-list outside_dmz extended permit tcp 192.168.233.0 255.255.255.0 host 10.
1.55.253 eq citrix-ica
access-list outside_dmz extended permit udp 192.168.233.0 255.255.255.0 host 10.
1.55.253 eq 1604
access-list outside_dmz extended permit tcp 192.168.233.0 255.255.255.0 host 10.
1.55.253 eq www
access-list outside_dmz extended permit icmp 192.168.233.0 255.255.255.0 host 10
.1.55.253
access-list outside_dmz extended deny ip 192.168.233.0 255.255.255.0 10.1.55.0 2
55.255.255.0
access-list outside_dmz extended permit ip any any
access-list outbound extended permit icmp any any
access-list outbound extended permit ip any any
access-list outbound extended permit tcp any host 204.x.x.33 eq 3101
access-list outbound extended permit tcp any host 204.x.x.33 eq 3101
access-list outbound extended permit tcp any any eq 3101
access-list outbound extended permit tcp any any
access-list outbound extended permit tcp any any eq ftp
access-list inside,outside extended permit tcp any host 10.1.55.249
access-list inside_outside extended permit tcp any any
pager lines 14
logging enable
logging buffered debugging
logging trap debugging
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool RiverCatPool 10.1.254.1-10.1.254.254
ip verify reverse-path interface inside
ip audit info action drop
ip audit attack action drop
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 2 12.25.190.194 netmask 255.255.255.240
nat (inside) 0 access-list 100
nat (inside) 1 10.0.0.0 255.0.0.0
nat (DMZ) 0 access-list 101
nat (DMZ) 1 192.168.233.0 255.255.255.0
static (inside,outside) tcp 12.x.x.194 3389 10.1.55.249 3389 netmask 255.255.
255.255
static (inside,outside) tcp 12.x.x.194 pptp 10.1.55.254 pptp netmask 255.255.
255.255
static (inside,outside) tcp 12.x.x.194 3390 10.1.55.220 3390 netmask 255.255.
255.255
static (inside,outside) tcp 12.x.x.194 3400 10.1.55.230 3400 netmask 255.255.
255.255
static (inside,outside) tcp 12.x.x.194 3391 10.1.55.221 3391 netmask 255.255.
255.255
static (inside,outside) tcp 12.x.x.194 3392 10.1.55.222 3392 netmask 255.255.
255.255
static (inside,outside) tcp 12.x.x.194 3393 10.1.55.223 3393 netmask 255.255.
255.255
static (inside,outside) tcp 12.x.x.194 3394 10.1.55.224 3394 netmask 255.255.
255.255
static (inside,outside) tcp 12.x.x.194 3395 10.1.55.225 3395 netmask 255.255.
255.255
static (inside,outside) tcp 12.x.x.194 3396 10.1.55.226 3396 netmask 255.255.
255.255
static (inside,outside) tcp 12.x.x.194 3397 10.1.55.227 3397 netmask 255.255.
255.255
static (inside,outside) tcp 12.x.x.194 3398 10.1.55.228 3398 netmask 255.255.
255.255
static (inside,outside) tcp 12.x.x.194 3399 10.1.55.229 3399 netmask 255.255.
255.255
static (inside,outside) tcp 12.x.x.194 3401 10.1.55.231 3401 netmask 255.255.
255.255
static (inside,outside) tcp 12.x.x.194 3402 10.1.55.232 3402 netmask 255.255.
255.255
static (inside,outside) tcp 12.x.x.194 3403 10.1.55.233 3403 netmask 255.255.
255.255
static (inside,outside) tcp 12.x.x.194 3404 10.1.55.234 3404 netmask 255.255.
255.255
static (inside,outside) tcp 12.x.x.194 3405 10.1.55.235 3405 netmask 255.255.
255.255
static (inside,outside) tcp 12.x.x.194 3406 10.1.55.236 3406 netmask 255.255.
255.255
static (inside,outside) tcp 12.x.x.194 3407 10.1.55.237 3407 netmask 255.255.
255.255
static (inside,outside) tcp 12.x.x.194 3408 10.1.55.238 3408 netmask 255.255.
255.255
static (inside,outside) tcp 12.x.x.194 3409 10.1.55.239 3409 netmask 255.255.
255.255
static (inside,outside) tcp 12.x.x.194 ftp 10.1.55.251 ftp netmask 255.255.25
5.255
static (inside,outside) tcp 12.x.x.194 smtp 10.1.55.249 smtp netmask 255.255.
255.255
static (inside,outside) tcp 12.x.x.194 www 10.1.55.249 www netmask 255.255.25
5.255
static (inside,outside) tcp 12.x.x.194 https 10.1.55.249 https netmask 255.25
5.255.255
static (DMZ,outside) 64.x.x.40 192.168.233.100 netmask 255.255.255.255
static (DMZ,outside) 64.x.x.41 192.168.233.101 netmask 255.255.255.255
static (DMZ,outside) 64.x.x.42 192.168.233.102 netmask 255.255.255.255
static (DMZ,outside) 64.x.x.43 192.168.233.103 netmask 255.255.255.255
static (DMZ,outside) 64.x.x.44 192.168.233.104 netmask 255.255.255.255
static (DMZ,outside) 64.x.x.45 192.168.233.105 netmask 255.255.255.255
static (DMZ,outside) 64.x.x.46 192.168.233.106 netmask 255.255.255.255
static (DMZ,outside) 64.x.x.47 192.168.233.107 netmask 255.255.255.255
static (DMZ,outside) 64.x.x.48 192.168.233.108 netmask 255.255.255.255
static (DMZ,outside) 64.x.x.49 192.168.233.109 netmask 255.255.255.255
static (DMZ,outside) 64.x.x.50 192.168.233.110 netmask 255.255.255.255
static (DMZ,outside) 64.x.x.51 192.168.233.111 netmask 255.255.255.255
static (DMZ,outside) 64.x.x.52 192.168.233.112 netmask 255.255.255.255
static (inside,outside) 12.x.x.196 10.1.55.253 netmask 255.255.255.255
access-group outside_in in interface outside
access-group outbound in interface inside
access-group outside_dmz in interface DMZ
route outside 0.0.0.0 0.0.0.0 12.x.x.193 1
route outside 192.168.8.0 255.255.254.0 64.x.x.55 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy group internal
group-policy group attributes
 vpn-idle-timeout 30
group-policy **** internal
group-policy **** attributes
 wins-server value 10.1.55.254
 dns-server value 10.1.55.254
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set *******Set esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set *******Set
crypto map *******Map 10 ipsec-isakmp dynamic dynmap
crypto map *******Map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group (outside) none
tunnel-group ******* type ipsec-ra
tunnel-group ******* general-attributes
 address-pool *******Pool
 authentication-server-group (outside) none
 default-group-policy *******
tunnel-group *******ipsec-attributes
 pre-shared-key *
tunnel-group group type ipsec-ra
tunnel-group group general-attributes
 authentication-server-group (outside) none
 default-group-policy group
telnet 10.1.55.0 255.255.255.0 inside
telnet timeout 20
ssh 0.0.0.0 0.0.0.0 outside
ssh 167.x.x.156 255.255.255.255 outside
ssh timeout 60
ssh version 1
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect pptp
!
service-policy global_policy global
Cryptochecksum:008349304e4bxxxxxxxxxxxxxxxx0d290f38
*******PIX#

Open in new window

0
Comment
Question by:smilebpi1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 24105198
TO get pings working
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any any unreachable
 
 
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 24105216
BES usually needs TCP Port 3101 open?
 
SO Imguessing this is what you mean
access-list outbound extended permit tcp any host 204.x.x.33 eq 3101
access-list outbound extended permit tcp any host 204.x.x.33 eq 3101

Thats all you should need to do :)
 
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 150 total points
ID: 24105245
assuming 204.x.x.33 is the correct blackberry IP address for your local service, here in the UK its
193.109.81.33 but depending on your geographic location this will be different - speak to Blackberry/RIM if you are unsure
0
 
LVL 1

Author Comment

by:smilebpi1
ID: 24109447
My problem is that I can't ping anything, ie: google.com from inside my Lan. The access-list oustside_in is for outbound rules. I see a rule for outbound that allows icmp. I would think that it would allow me out. After I added the rules I did a entered write mem. Should I have to do anything else?
0
 
LVL 1

Author Comment

by:smilebpi1
ID: 24112658
Well, my setup for BES worked. I still can ping out. That's okay, we are putting in a new Firewall next week.
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question