Solved

Pix 515 Can't ping outside of the LAN

Posted on 2009-04-08
5
995 Views
Last Modified: 2012-05-06
I have a client who has a PIX 515 that I didn't setup. I am pretty rusty with my Cisco skills. I was trying to open a port for their new BES. Now, I have discovered that I can't ping anything outside of the LAN. I am not sure if I setup the BES port correctly either. I added it to an access-list. below is the config.
domain-name domain.com

enable password ZL*******20n encrypted

names

!

interface Ethernet0

 speed 10

 duplex half

 nameif outside

 security-level 0

 ip address 12.x.x.195 255.255.255.240

!

interface Ethernet1

 speed 100

 duplex full

 nameif inside

 security-level 100

 ip address 10.1.55.3 255.255.255.0

!

interface Ethernet2

 speed 100

 duplex full

 nameif DMZ

 security-level 50

 ip address 192.168.233.1 255.255.255.0

!

passwd ********** encrypted

boot system flash:/pix711.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name domain.com

access-list 101 extended permit ip 192.168.233.0 255.255.255.0 10.1.55.0 255.255

.255.0

access-list 100 extended permit ip 10.1.55.0 255.255.255.0 192.168.233.0 255.255

.255.0

access-list 100 extended permit ip 10.1.55.0 255.255.255.0 10.1.254.0 255.255.25

5.0

access-list split_tunnel extended permit ip 10.1.55.0 255.255.255.0 10.1.254.0 2

55.255.255.0

access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.40
 

access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.41
 

access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.42
 

access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.43
 

access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.44
 

access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.45
 

access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.46
 

access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.47
 

access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.48
 

access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.49
 

access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.50
 

access-list outside_in extended permit tcp host 208.x.x.130 host x.x.64.40

 eq pptp

access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.41

 eq pptp

access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.42

 eq pptp

access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.43

 eq pptp

access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.44

 eq pptp

access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.45

 eq pptp

access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.46

 eq pptp

access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.47

 eq pptp

access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.48

 eq pptp

access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.49

 eq pptp

access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.50

 eq pptp

access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.51
 

access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.51

 eq pptp

access-list outside_in extended permit gre host 208.x.x.130 host 64.x.x.52
 

access-list outside_in extended permit tcp host 208.x.x.130 host 64.x.x.52

 eq pptp

access-list outside_in extended permit tcp any host 12.x.x.194 eq 3400

access-list outside_in extended permit tcp any host 12.x.x.194 eq pptp

access-list outside_in extended permit tcp any host 12.x.x.194 eq 3389

access-list outside_in extended permit tcp any host 12.x.x.194 eq https

access-list outside_in extended permit tcp any host 12.x.x.194 eq www

access-list outside_in extended permit tcp any host 12.x.x.194 eq smtp

access-list outside_in extended permit tcp any host 12.x.x.194 range 3390 340

9

access-list outside_in extended permit tcp any host 12.x.x.194 eq ftp

access-list outside_in extended permit tcp any host 12.x.x.196 eq citrix-ica

access-list outside_in extended permit tcp any host 12.x.x.196 eq www

access-list outside_in extended permit udp any host 12.x.x.196 eq 1604

access-list outside_in extended permit tcp any host 12.x.x.194 eq 1755

access-list outside_in extended permit tcp any host 12.x.x.194 eq 7007

access-list outside_dmz extended permit tcp 192.168.233.0 255.255.255.0 host 10.

1.55.253 eq citrix-ica

access-list outside_dmz extended permit udp 192.168.233.0 255.255.255.0 host 10.

1.55.253 eq 1604

access-list outside_dmz extended permit tcp 192.168.233.0 255.255.255.0 host 10.

1.55.253 eq www

access-list outside_dmz extended permit icmp 192.168.233.0 255.255.255.0 host 10

.1.55.253

access-list outside_dmz extended deny ip 192.168.233.0 255.255.255.0 10.1.55.0 2

55.255.255.0

access-list outside_dmz extended permit ip any any

access-list outbound extended permit icmp any any

access-list outbound extended permit ip any any

access-list outbound extended permit tcp any host 204.x.x.33 eq 3101

access-list outbound extended permit tcp any host 204.x.x.33 eq 3101

access-list outbound extended permit tcp any any eq 3101

access-list outbound extended permit tcp any any

access-list outbound extended permit tcp any any eq ftp

access-list inside,outside extended permit tcp any host 10.1.55.249

access-list inside_outside extended permit tcp any any

pager lines 14

logging enable

logging buffered debugging

logging trap debugging

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip local pool RiverCatPool 10.1.254.1-10.1.254.254

ip verify reverse-path interface inside

ip audit info action drop

ip audit attack action drop

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

global (outside) 2 12.25.190.194 netmask 255.255.255.240

nat (inside) 0 access-list 100

nat (inside) 1 10.0.0.0 255.0.0.0

nat (DMZ) 0 access-list 101

nat (DMZ) 1 192.168.233.0 255.255.255.0

static (inside,outside) tcp 12.x.x.194 3389 10.1.55.249 3389 netmask 255.255.

255.255

static (inside,outside) tcp 12.x.x.194 pptp 10.1.55.254 pptp netmask 255.255.

255.255

static (inside,outside) tcp 12.x.x.194 3390 10.1.55.220 3390 netmask 255.255.

255.255

static (inside,outside) tcp 12.x.x.194 3400 10.1.55.230 3400 netmask 255.255.

255.255

static (inside,outside) tcp 12.x.x.194 3391 10.1.55.221 3391 netmask 255.255.

255.255

static (inside,outside) tcp 12.x.x.194 3392 10.1.55.222 3392 netmask 255.255.

255.255

static (inside,outside) tcp 12.x.x.194 3393 10.1.55.223 3393 netmask 255.255.

255.255

static (inside,outside) tcp 12.x.x.194 3394 10.1.55.224 3394 netmask 255.255.

255.255

static (inside,outside) tcp 12.x.x.194 3395 10.1.55.225 3395 netmask 255.255.

255.255

static (inside,outside) tcp 12.x.x.194 3396 10.1.55.226 3396 netmask 255.255.

255.255

static (inside,outside) tcp 12.x.x.194 3397 10.1.55.227 3397 netmask 255.255.

255.255

static (inside,outside) tcp 12.x.x.194 3398 10.1.55.228 3398 netmask 255.255.

255.255

static (inside,outside) tcp 12.x.x.194 3399 10.1.55.229 3399 netmask 255.255.

255.255

static (inside,outside) tcp 12.x.x.194 3401 10.1.55.231 3401 netmask 255.255.

255.255

static (inside,outside) tcp 12.x.x.194 3402 10.1.55.232 3402 netmask 255.255.

255.255

static (inside,outside) tcp 12.x.x.194 3403 10.1.55.233 3403 netmask 255.255.

255.255

static (inside,outside) tcp 12.x.x.194 3404 10.1.55.234 3404 netmask 255.255.

255.255

static (inside,outside) tcp 12.x.x.194 3405 10.1.55.235 3405 netmask 255.255.

255.255

static (inside,outside) tcp 12.x.x.194 3406 10.1.55.236 3406 netmask 255.255.

255.255

static (inside,outside) tcp 12.x.x.194 3407 10.1.55.237 3407 netmask 255.255.

255.255

static (inside,outside) tcp 12.x.x.194 3408 10.1.55.238 3408 netmask 255.255.

255.255

static (inside,outside) tcp 12.x.x.194 3409 10.1.55.239 3409 netmask 255.255.

255.255

static (inside,outside) tcp 12.x.x.194 ftp 10.1.55.251 ftp netmask 255.255.25

5.255

static (inside,outside) tcp 12.x.x.194 smtp 10.1.55.249 smtp netmask 255.255.

255.255

static (inside,outside) tcp 12.x.x.194 www 10.1.55.249 www netmask 255.255.25

5.255

static (inside,outside) tcp 12.x.x.194 https 10.1.55.249 https netmask 255.25

5.255.255

static (DMZ,outside) 64.x.x.40 192.168.233.100 netmask 255.255.255.255

static (DMZ,outside) 64.x.x.41 192.168.233.101 netmask 255.255.255.255

static (DMZ,outside) 64.x.x.42 192.168.233.102 netmask 255.255.255.255

static (DMZ,outside) 64.x.x.43 192.168.233.103 netmask 255.255.255.255

static (DMZ,outside) 64.x.x.44 192.168.233.104 netmask 255.255.255.255

static (DMZ,outside) 64.x.x.45 192.168.233.105 netmask 255.255.255.255

static (DMZ,outside) 64.x.x.46 192.168.233.106 netmask 255.255.255.255

static (DMZ,outside) 64.x.x.47 192.168.233.107 netmask 255.255.255.255

static (DMZ,outside) 64.x.x.48 192.168.233.108 netmask 255.255.255.255

static (DMZ,outside) 64.x.x.49 192.168.233.109 netmask 255.255.255.255

static (DMZ,outside) 64.x.x.50 192.168.233.110 netmask 255.255.255.255

static (DMZ,outside) 64.x.x.51 192.168.233.111 netmask 255.255.255.255

static (DMZ,outside) 64.x.x.52 192.168.233.112 netmask 255.255.255.255

static (inside,outside) 12.x.x.196 10.1.55.253 netmask 255.255.255.255

access-group outside_in in interface outside

access-group outbound in interface inside

access-group outside_dmz in interface DMZ

route outside 0.0.0.0 0.0.0.0 12.x.x.193 1

route outside 192.168.8.0 255.255.254.0 64.x.x.55 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

group-policy group internal

group-policy group attributes

 vpn-idle-timeout 30

group-policy **** internal

group-policy **** attributes

 wins-server value 10.1.55.254

 dns-server value 10.1.55.254

 vpn-idle-timeout 30

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value split_tunnel

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

crypto ipsec transform-set *******Set esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set *******Set

crypto map *******Map 10 ipsec-isakmp dynamic dynmap

crypto map *******Map interface outside

isakmp identity address

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

tunnel-group DefaultRAGroup general-attributes

 authentication-server-group (outside) none

tunnel-group ******* type ipsec-ra

tunnel-group ******* general-attributes

 address-pool *******Pool

 authentication-server-group (outside) none

 default-group-policy *******

tunnel-group *******ipsec-attributes

 pre-shared-key *

tunnel-group group type ipsec-ra

tunnel-group group general-attributes

 authentication-server-group (outside) none

 default-group-policy group

telnet 10.1.55.0 255.255.255.0 inside

telnet timeout 20

ssh 0.0.0.0 0.0.0.0 outside

ssh 167.x.x.156 255.255.255.255 outside

ssh timeout 60

ssh version 1

console timeout 0

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect http

  inspect ils

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect pptp

!

service-policy global_policy global

Cryptochecksum:008349304e4bxxxxxxxxxxxxxxxx0d290f38

*******PIX#

Open in new window

0
Comment
Question by:smilebpi1
  • 3
  • 2
5 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 24105198
TO get pings working
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any any unreachable
 
 
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 24105216
BES usually needs TCP Port 3101 open?
 
SO Imguessing this is what you mean
access-list outbound extended permit tcp any host 204.x.x.33 eq 3101
access-list outbound extended permit tcp any host 204.x.x.33 eq 3101

Thats all you should need to do :)
 
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 50 total points
ID: 24105245
assuming 204.x.x.33 is the correct blackberry IP address for your local service, here in the UK its
193.109.81.33 but depending on your geographic location this will be different - speak to Blackberry/RIM if you are unsure
0
 
LVL 1

Author Comment

by:smilebpi1
ID: 24109447
My problem is that I can't ping anything, ie: google.com from inside my Lan. The access-list oustside_in is for outbound rules. I see a rule for outbound that allows icmp. I would think that it would allow me out. After I added the rules I did a entered write mem. Should I have to do anything else?
0
 
LVL 1

Author Comment

by:smilebpi1
ID: 24112658
Well, my setup for BES worked. I still can ping out. That's okay, we are putting in a new Firewall next week.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now