Cisco PIX501 Config Help

nat (inside) 1 0.0.0.0 0.0.0.0 0 0 global (outside) 1 interface

This 2 lines will configure the PIX to nat all traffic coming from the inside with the outside interface address. This will allow normal internet access for the inside users.

static (inside,outside) 10.215.112.34 10.212.35.60 netmask 255.255.255.255 0

0

access-list acl-out permit ip any host 10.215.112.34 access-group acl-out in interface outside

The first line will will make the inside host 10.212.35.60 visible on the outside at 10.215.112.34. But you also need to give access permissions with the 2 other lines since the traffic needs to go from a less secure to a more secure zone. This is done with the access-list and the access-group command. My example allow all ip , but you could be more granular. For example access-list acl-out permit tcp any host 10.215.112.34 eq 80 would give only http access.

Thankyou - I have added these two lines.

I can successfully ping LAN A (eg 10.215.112.33) from the PIX but NOT from a client on the inside of the pix (10.212.35.20).I have noticed that I do not have any static routes set up for the internal and external interfaces on the pix - is this an issue?

There is no routing issues , those subnets are Directly Connected. But i think that icmp is denied by defaul ton the outside, even for the replies. So you can add the following lines in your acl_out and give it a try

access-list acl-out permit icmp any any echo-reply access-list acl-out permit icmp any any source-quench access-list acl-out permit icmp any any unreachable access-list acl-out permit icmp any any time-exceeded

Still no joy! From the clients on the inside I cant access anything on the outside.

Here's my config now in case you can see anything else I've missed:

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password sxoDUvFgNGNRIZl3 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname cf-pixfirewall domain-name xxxxxxxxx.local fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list inside_access_in permit tcp any any access-list acl-out permit icmp any any echo-reply access-list acl-out permit icmp any any source-quench access-list acl-out permit icmp any any unreachable access-list acl-out permit icmp any any time-exceeded pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 10.215.112.35 255.255.255.224 ip address inside 10.212.35.2 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group inside_access_in in interface inside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.212.35.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:9dc4bc6c12225487786f091c4809b551 : end

Thanks, that previous config was too messy to parse.

You don't use that ACL, acl-out .

You allow all tcp access out, but you don't allow even one system to do DNS (UDP).

How can I allow all traffic out? Is there a single command to do this? I still can't get to anything externally from the internal clients but I can from the PIX. To be honest, I'm only using the Pix for NAT...security isn't an issue in this environment.

Use no access-group inside_access_in in interface inside to deactivate the access-group .

If there is no access-group for the inside interface, all connections are permitted outwards, provided that there is a translation for it. Your nat/ global pair provides the translation.