[nsp] PIX only avail after pinging from it
Goldberg Alain (IT)
alain at towersemi.com
Wed Dec 10 08:37:11 EST 2003
I am not a PIX specialist and thus I will not go into your
configuration, BUT:
The problem you describe looks like a typical ARP issue.
Because when you ping-from-pix you actually supply the Ethernet
(xx:xx:xx:xx:xx:xx) of the PIX to the given host,
and then this host is able to reach the PIX.
The first thing I would check is that the netmask on the PIX is the same
as on the other hosts.
Then check if you are not blocking incoming ARP requests on the PIX.
My 5 cents.
Regards,
_________________________________________
Alain Goldberg - Network manager - CCDA/CCNA
Tower Semiconductors LTD.
Tel : 972-4-6506003 Fax : 972-4-6547788
"I love a well designed chaos" - Sixtus dixit
-----Original Message-----
From: Sven Huster [mailto:sven at huster.me.uk]
Sent: Wednesday, December 10, 2003 12:14 PM
To: cisco-nsp at puck.nether.net
Subject: [nsp] PIX only avail after pinging from it
Hi
I got a PIX/UR running 6.3(1).
It looks like it is only available e.g. for ICMP once it pinged the
other end first.
So I try to ping it and leave this running without any success.
As soon as I ping the host from the PIX it also start to work the other
way round.
Any ideas?
Part of the config follows:
interface ethernet0 100full
interface ethernet1 100full
interface ethernet1 vlan2 logical
interface ethernet1 vlan3 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan2 dmz security10
nameif vlan3 internal security90
access-list compiled
access-list ACL_OUTSIDE_IN permit icmp any any access-list
ACL_OUTSIDE_IN permit ip host 10.0.0.1 any access-list ACL_OUTSIDE_IN
permit ip host 10.0.0.2 any access-list ACL_DMZ_IN deny ip 192.168.254.0
255.255.255.0 192.168.254.0 255.255.255.0 access-list ACL_DMZ_IN permit
icmp any any access-list ACL_DMZ_IN permit ip any host 10.0.0.1
access-list ACL_DMZ_IN permit ip any host 10.0.0.2 access-list
ACL_DMZ_IN permit udp any host 10.1.1.4 eq domain access-list ACL_DMZ_IN
permit udp any host 10.1.1.5 eq domain
icmp permit any outside
icmp permit any inside
icmp permit any dmz
icmp permit any internal
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.250 255.255.255.0 ip address inside
192.168.155.254 255.255.255.0 ip address dmz 192.168.254.254
255.255.255.0 ip address internal 192.168.151.254 255.255.255.0
arp timeout 14400
static (dmz,outside) 10.0.0.50 192.168.254.1 netmask 255.255.255.255 0 0
access-group ACL_OUTSIDE_IN in interface outside access-group ACL_DMZ_IN
in interface dmz
route outside 0.0.0.0 0.0.0.0 10.0.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
Thanks
Regards
--
Sven
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list