[nsp] PIX only avail after pinging from it
Sven Huster
sven at huster.me.uk
Fri Dec 12 03:44:53 EST 2003
Nope, the only thing configured for testing right now is the one static entry show in the posted config
On Thu, Dec 11, 2003 at 11:19:07PM +0000, Stephen J. Wilcox wrote:
> I had this some time ago, only problem is I dont remember the exact cause or
> what the fix was.. um are you doing some slightly odd things with nat, possibly
> a static nat using one of the pix's own addresses?
>
> Steve
>
> On Wed, 10 Dec 2003, Sven Huster wrote:
>
> > Hi
> >
> > I got a PIX/UR running 6.3(1).
> >
> > It looks like it is only available e.g. for ICMP once it pinged the other end first.
> > So I try to ping it and leave this running without any success.
> > As soon as I ping the host from the PIX it also start to work the other way round.
> >
> > Any ideas?
> >
> > Part of the config follows:
> >
> > interface ethernet0 100full
> > interface ethernet1 100full
> > interface ethernet1 vlan2 logical
> > interface ethernet1 vlan3 logical
> >
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > nameif vlan2 dmz security10
> > nameif vlan3 internal security90
> >
> > access-list compiled
> > access-list ACL_OUTSIDE_IN permit icmp any any
> > access-list ACL_OUTSIDE_IN permit ip host 10.0.0.1 any
> > access-list ACL_OUTSIDE_IN permit ip host 10.0.0.2 any
> > access-list ACL_DMZ_IN deny ip 192.168.254.0 255.255.255.0 192.168.254.0 255.255.255.0
> > access-list ACL_DMZ_IN permit icmp any any
> > access-list ACL_DMZ_IN permit ip any host 10.0.0.1
> > access-list ACL_DMZ_IN permit ip any host 10.0.0.2
> > access-list ACL_DMZ_IN permit udp any host 10.1.1.4 eq domain
> > access-list ACL_DMZ_IN permit udp any host 10.1.1.5 eq domain
> >
> > icmp permit any outside
> > icmp permit any inside
> > icmp permit any dmz
> > icmp permit any internal
> >
> > mtu outside 1500
> > mtu inside 1500
> >
> > ip address outside 10.0.0.250 255.255.255.0
> > ip address inside 192.168.155.254 255.255.255.0
> > ip address dmz 192.168.254.254 255.255.255.0
> > ip address internal 192.168.151.254 255.255.255.0
> >
> > arp timeout 14400
> > static (dmz,outside) 10.0.0.50 192.168.254.1 netmask 255.255.255.255 0 0
> >
> > access-group ACL_OUTSIDE_IN in interface outside
> > access-group ACL_DMZ_IN in interface dmz
> >
> > route outside 0.0.0.0 0.0.0.0 10.0.0.254 1
> >
> > timeout xlate 3:00:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
> > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> > timeout uauth 0:05:00 absolute
More information about the cisco-nsp
mailing list