Newbie needs the most basic of help with a PIX 515

In article , wrote: :PIX Version 7.0(1)

:access-list ping_acl permit icmp any any

:access-group ping_acl in interface inside :access-group ping_acl in interface dmz :access-group ping_acl in interface outside

I haven't looked at the details of your configuration, but the above popped out at me.

Effectively you cannot reuse access-lists on the PIX: the PIX manipulates them internally for purposes related to the Adaptive Security Algorithm. And some other cases that you wouldn't think could cause a conflict have had bug reports against problems with shared ACLs.

So, on the PIX, if you need the same ACL functionality in more than one context, you should duplicate the ACL contents. If the ACL is non-trivial, using object-group can help reduce the clutter a fair bit.

you need the global command that would tell the pix what the internal addresses should be translated into. It would be something like this:

global (outside) global (outside) 1 209.64.3.129-209.64.3.253 netmask

255.255.255.128

where the ip addresses in the line above are the range of public addresses available to you.

If you dont have enough public addresses use pat by defining only one global address such as

global (outside) 1 209.64.3.129

Good Luck.

snipped-for-privacy@tadland.net wrote:

I've incorporated both of these changes, and now I have something like this in the relevant parts of the configuration:

global (outside) 1 10.0.100.1-10.0.100.255 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 nat (dmz) 1 10.0.5.0 255.255.255.0 0 static (dmz,outside) 10.0.100.10 10.0.5.5 netmask 255.255.255.255 0 0

access-list ping_inside_acl permit icmp any any access-list ping_dmz_acl permit icmp any any access-list ping_outside_acl permit icmp any any access-list ssh_dmz_acl permit tcp any host 10.0.100.10 eq 22

access-group ping_inside_acl in interface inside access-group ping_dmz_acl in interface dmz access-group ping_outside_acl in interface outside access-group ssh_dmz_acl in interface outside

I still cannot get data across the interfaces into a different zone. I can ping 10.0.100.10 from a machine on the outside of the PIX, but the ttl is 64 so I'm feeling like the traffic isn't actually getting to the machine that is supposed to be NATed to 10.0.100.10 (10.0.5.5).

Any other suggestions?

Thanks, Tad

I'm not sure that my changes are progress. I now get the following errors loading the configuration file:

!Error: 10.0.100.1-10.0.100.255 overlaps with outside interface address Duplicate NAT entry Duplicate NAT entry ERROR: mapped-address conflict with existing static dmz:10.0.5.5 to outside:10.0.100.10 netmask 255.255.255.255 Config Error -- static (dmz,outside) 10.0.100.10 10.0.5.5 netmask

255.255.255.255 0 0 WARNING: found duplicate element WARNING: found duplicate element WARNING: found duplicate element ERROR: entry for address/mask = 10.0.0.200/255.255.255.255 exists

The first error is just me needing to change the range of the global statement. I don't understand the "Duplicate NAT entry" messages and the "found duplicate element" errors on the access-lists seems to be contrary to the first sugesstion above.

Tad

In article , wrote: :access-group ping_outside_acl in interface outside :access-group ssh_dmz_acl in interface outside

This doesn't address your original problem, but: you can only have one access-group per interface (per direction in 7.0).