Hello,
I have been tasked with configuring a PIX 515, but my Cisco skills aren't up to the challenge. I have set up and maintained some networks using Linux gateways with iptables, so I do know the basic concepts involved. In order to learn how to make things happen on the PIX, I've set up a test environment consisting of three machines, each on one interface on the PIX. My initial goal is to be able to ping across to the network to each machine. Once I have connectivity, I can start writing my access-list rules.
Unfortunately, I am unable to ping across the PIX to any of the other networks. My configuration is:
PIX Version 7.0(1) names ! interface Ethernet0 nameif outside security-level 0 ip address 10.0.100.190 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 10.0.0.1 255.255.255.0 ! interface Ethernet2 nameif dmz security-level 20 ip address 10.0.5.1 255.255.255.0 ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! interface Ethernet5 shutdown no nameif no security-level no ip address ! enable password v3eNd/VU2QcDQYO6 encrypted passwd 1eLX4kzXqzXs6wsU encrypted hostname pixfirewall ftp mode passive no pager mtu inside 1500 mtu outside 1500 no failover monitor-interface inside monitor-interface outside asdm image flash:/asdm no asdm history enable arp timeout 14400 nat (inside) 1 0.0.0.0 0.0.0.0 nat (dmz) 1 10.0.5.0 255.255.255.0 0 static (dmz,outside) 10.0.100.10 10.0.5.5 netmask 255.255.255.255 0 0
access-list ping_acl permit icmp any any
access-group ping_acl in interface inside access-group ping_acl in interface dmz access-group ping_acl in interface outside
timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server enable traps snmp telnet 10.0.0.200 255.255.255.255 inside telnet timeout 5 ssh timeout 5 console timeout 0 : end
Which obviously is missing something. The first thing I'd like to accomplish is to be able to ping 10.0.100.190 from machine 10.0.5.5 on the DMZ interface. Second would be to be able to ping 10.0.100.10 and have that hit 10.0.5.5. Once that is working, don't think it would be to hard to allow ssh logins to 10.0.100.10 (10.0.5.5).
Thanks for any help!
Tad