From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Wed Mar 18 2009 - 10:02:42 ART
I have tested and you are right, I can not ping outside address from inside
host even with the "management-access outside" command,
Do any one ? I can not believe I can not ping !!!,
Regards
----- Original Message -----
From: "Farrukh Haroon" <farrukhharoon@gmail.com>
To: "marish shah" <contactmarish@gmail.com>
Cc: "groupstudy" <ccielab@groupstudy.com>
Sent: Tuesday, March 17, 2009 9:12 AM
Subject: Re: PIX PROBLEM
> If you are trying to ping the DMZ interface's IP while coming from any
> other
> interface (outside or inside) it wont work! This is one of the 'elite'
> security features of the Cisco firewalls :)
>
> You can either ping the interface to which you are connected to, or ping
> any
> device connected to the PIX on the DMZ segment.
>
> Regards
>
> Farrukh
>
> On Tue, Mar 17, 2009 at 1:37 PM, marish shah
> <contactmarish@gmail.com>wrote:
>
>> Hi guys ,
>> I have pix 515 inside to dmz and dmz to outside .but its not working
>> because I can't ping my dmz plz check my configuration its ok or not
>>
>> pix515e(config)# sh run
>> : Saved
>> :
>> PIX Version 6.2(2)
>> nameif ethernet0 outside security0
>> nameif ethernet1 inside security100
>> nameif ethernet2 DMZ security10
>> enable password uz71UN9FHpuvfuPq encrypted
>> passwd uz71UN9FHpuvfuPq encrypted
>> hostname pix515e
>> domain-name ciscopix.com
>> fixup protocol ftp 21
>> fixup protocol http 80
>> fixup protocol h323 h225 1720
>> fixup protocol h323 ras 1718-1719
>> fixup protocol ils 389
>> fixup protocol rsh 514
>> fixup protocol rtsp 554
>> fixup protocol sqlnet 1521
>> fixup protocol sip 5060
>> fixup protocol skinny 2000
>> no fixup protocol smtp 25
>> names
>> access-list acl_inside permit ip any any
>> access-list acl_inside permit tcp any host 192.168.4.40 eq 34336
>> access-list acl_inside permit tcp any host 192.168.4.40 eq 34334
>> access-list acl_inside permit tcp any host 192.168.4.40 eq 7777
>> access-list acl_inside permit tcp any host 192.168.4.40 eq 34335
>> access-list acl_inside permit tcp any any
>> access-list acl_inside permit ip any host 192.168.129.183
>> access-list acl_inside permit ip any host 192.168.130.176
>> access-list acl_outside permit icmp any any
>> access-list acl_outside permit tcp any host 192.168.129.183 eq 7777
>> access-list acl_outside permit tcp any host 192.168.129.183 eq 34335
>> access-list acl_outside permit tcp any host 192.168.130.176 eq 7777
>> access-list acl_outside permit tcp any host 192.168.130.176 eq 34335
>> access-list acl_outside permit tcp any host 192.168.129.183 eq 34336
>> access-list acl_outside permit tcp any host 192.168.130.176 eq 34334
>> access-list acl_outside permit tcp any any
>> access-list acl_outside permit ip any any
>> access-list acl_outside permit ip any host 192.168.130.176
>> access-list acl_DMZ permit icmp any any
>> access-list acl_DMZ permit tcp any any
>> access-list acl_DMZ permit ip any any
>> access-list acl_DMZ permit ip 192.168.130.0 255.255.255.0 any
>> access-list acl_DMZ permit tcp 192.168.130.0 255.255.255.0 any
>> access-list acl_DMZ permit ip any 192.168.130.0 255.255.255.0
>> access-list acl_DMZ permit tcp any 192.168.130.0 255.255.255.0
>> pager lines 24
>> logging host inside 192.168.4.155
>> interface ethernet0 auto
>> interface ethernet1 auto
>> interface ethernet2 auto
>> mtu outside 1500
>> mtu inside 1500
>> mtu DMZ 1500
>> ip address outside 192.168.129.197 255.255.255.0
>> ip address inside 192.168.6.239 255.255.255.0
>> ip address DMZ 192.168.130.197 255.255.255.0
>> ip audit info action alarm
>> ip audit attack action alarm
>> pdm logging informational 100
>> pdm history enable
>> arp timeout 14400
>> global (outside) 1 interface
>> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>> nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0
>> static (DMZ,inside) tcp 192.168.4.40 34335 192.168.130.176 34335 netmask
>> 255.255
>> .255.255 0 0
>> static (inside,DMZ) tcp 192.168.130.176 34335 192.168.4.40 34335 netmask
>> 255.255
>> .255.255 0 0
>> static (inside,DMZ) 192.168.4.0 192.168.4.0 netmask 255.255.255.0 0 0
>> static (DMZ,inside) 192.168.130.0 192.168.130.0 netmask 255.255.255.0 0 0
>> static (DMZ,outside) 192.168.130.0 192.168.130.0 netmask 255.255.255.0 0
>> 0
>> static (outside,DMZ) 192.168.129.0 192.168.129.0 netmask 255.255.255.0 0
>> 0
>> access-group acl_outside in interface outside
>> access-group acl_inside in interface inside
>> access-group acl_DMZ in interface DMZ
>> route outside 0.0.0.0 0.0.0.0 192.168.129.253 1
>> route inside 192.168.4.0 255.255.255.0 192.168.6.239 1
>> timeout xlate 3:00:00
>> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
>> 0:05:00 si
>> p 0:30:00 sip_media 0:02:00
>> timeout uauth 0:05:00 absolute
>> aaa-server TACACS+ protocol tacacs+
>> aaa-server RADIUS protocol radius
>> aaa-server LOCAL protocol local
>> http server enable
>> http 192.168.1.0 255.255.255.0 inside
>> http 192.168.4.0 255.255.255.0 inside
>> http 192.168.6.0 255.255.255.0 inside
>> no snmp-server location
>> no snmp-server contact
>> snmp-server community public
>> no snmp-server enable traps
>> floodguard enable
>> no sysopt route dnat
>> telnet 192.168.4.0 255.255.255.0 inside
>> telnet 192.168.1.1 255.255.255.255 inside
>> telnet 192.168.3.0 255.255.255.0 inside
>> telnet 192.168.6.0 255.255.255.0 inside
>> telnet 192.168.1.1 255.255.255.255 DMZ
>> telnet timeout 5
>> ssh timeout 5
>> dhcpd lease 3600
>> dhcpd ping_timeout 750
>> dhcpd auto_config outside
>> terminal width 80
>> Cryptochecksum:b97566d452e537c6a39fea284501b373
>> : end
>> pix515e(config)#
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:05 ART