1. Home
  2. Cisco Systems
  3. Simple PIX 501 config

Simple PIX 501 config

I've had a lot of trouble getting my PIX configured the way I want it so I wanted to see if someone could help me configure it in a somewhat basic/ unrestrictive setting. Then I can verify it is working correctly and then use access-list's to restrict services later.

Basic config: I have two PC's. One is connected to the outside port (eth0) and the other is connected to the inside port (eth1). I would like to be able to access any port from the inside PC to the outside PC. Most importantly ICMP/ping to verify the connectivity.

Outside PC (172.31.13.1) : : Cisco Pix 501 : : Inside PC (172.31.1.136)

You can choose the eth0/eth1 ip address's because I am not certain what they should be. Also let me know if the subnet mask "255.255.0.0" needs to change on the PC's themselves. Thanks for your help. I'm still learning in my test environment.

Reply to
Matt Scoff
Loading thread data ...

kinda hard when we dont know you present config. but what you need is pretty simple. a global a nat a ACL permit icmp a ACL-group on the outside int.

wow - mind you subnetmasks here !

YES ! You can not have both interface in the same subnet. change subnetmasks to /24 = 255.255.255.0, also on the PIX config for inside and outside interfaces.

you may what to read the cisco config guides for the PIX.

HTH Martin Bilgrav

Reply to
Martin Bilgrav

Thank you so much. I will see what I can get working. My present config is new, reset to factory defaults.

My PC's need to be configured as 172.31.13.1 subnet 255.255.255.0 and

172.31.1.136 255.255.255.0, correct?

Outsude interface: 172.31.13.2 255.255.255.0 Inside interface 172.31.1.1 255.255.255.0 Correct?

Reply to
Matt Scoff

Here is my configuration. I have turned on logging. When I try to ping

172.31.13.2 (Server) from 172.31.4.136 (InsidePC) I receive the message "deny inbound icmp src outside: Server dst inside:172.31.13.2"

I must be missing something.

Building configuration... : Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 172.31.4.136 InsidePC name 172.31.13.1 Server access-list inside_access_in permit icmp interface inside interface outside access-list inside_access_in permit tcp interface inside interface outside pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 172.31.13.2 255.255.255.0 ip address inside 172.31.4.10 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location InsidePC 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 InsidePC 255.255.255.255 0 0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group inside_access_in in interface inside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+
Reply to
Matt Scoff

This is what I was looking for: access-group inside_access_in in interface out

Everything started working after that... I'm sure i'll have some more questions in the future, though.

Reply to
Matt Scoff

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.