PIX 501 wll not allow inbound traffic

I am installing a pix 501 firewall and I cannot get the firewall to allow inbound traffic.

I am able to access the internet via the inside interface but I cannot get it to allow inbound traffic.

Here is the config I am using. Ahy help would be appreciated..

When I install my static zlate command it knowks dow the translation going on for access to the internet for the inside users

PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password L2HsB35X542d86Zr encrypted passwd Pi/kr.ARFZeO1oIx encrypted hostname DDCI-AUSTIN domain-name m5corp.net fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names name Mainframe name PCI

access-list inside_access_in permit icmp any any access-list inside_outbound_nat0_acl permit ip PCI access-list outside_cryptomap_20 permit ip PCI access-list 101 permit ip access-list 101 permit ip any access-list 102 permit tcp any host access-list 102 permit icmp any any access-list 102 permit tcp any any access-list outside_cryptomap_dyn_30 permit ip any access-list outside_cryptomap_dyn_20 permit ip any pager lines 24 logging timestamp logging monitor debugging logging buffered debugging logging history debugging interface ethernet0 10baset interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside ip address inside ip audit info action alarm ip audit attack action alarm ip local pool pcivpn

pdm location inside pdm location inside pdm location Mainframe outside pdm location PCI outside pdm location inside pdm location outside pdm logging debugging 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 101 nat (inside) 1 0 0 access-group 102 in interface outside route outside 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323

0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http inside http inside no snmp-server location

no snmp-server contact snmp-server community public snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap client configuration address initiate crypto map mymap client configuration address respond crypto map mymap interface outside isakmp enable outside isakmp key ******** address netmask isakmp identity address isakmp client configuration address-pool local pcivpn outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup pci1 address-pool pcivpn vpngroup pci1 dns-server vpngroup pci1 default-domain atchleysystems.com

vpngroup pci1 split-tunnel 101 vpngroup pci1 idle-time 1800 telnet inside telnet inside telnet timeout 5 ssh timeout 60 terminal width 80 Cryptochecksum:d0840090439eb2e77793b87fdadf6a5e : end [OK]


Reply to
Loading thread data ...

You may wish to investigate Cisco's Using nat, global, static, conduit, and access-list Commands and Port Redirection(Forwarding) on PIX:

formatting link

Brad Reese Cisco Router Port Matrix

formatting link

Reply to

There are a bunch of security patches for that. You should be going up to 6.2(4) or something like that. The upgrade is free (as long as you are the registered owner)

You can't use the same subnet on the inside and outside.

Perhaps you don't really do that and you munged the line for posting purposes, but I'm not going to bother trying to debug a configuration which might have any number of mistakes in the munging.

Reply to
Walter Roberson

Go through the following link and rectify all the issues which WALTER has posted ...

formatting link


PATCHES wrote:

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.