[nsp] PIX only avail after pinging from it
Voll, Scott
Scott.Voll at wesd.org
Wed Dec 10 14:03:53 EST 2003
I can't find any documentation on the Pix outside interface.
But pinging the host on the DMZ, you have mapped an address that should
be on the outside, You need to map a different Subnet because the Pix
is acting as a layer three device. That could be the issue. Someone
correct me if I'm wrong.
Scott
-----Original Message-----
From: Sven Huster [mailto:sven at huster.me.uk]
Sent: Wednesday, December 10, 2003 8:25 AM
To: Voll, Scott
Cc: cisco-nsp at puck.nether.net
Subject: Re: [nsp] PIX only avail after pinging from it
Hi
I try from ping 10.0.0.1 (host) and 10.0.0.254 (gateway) to the outside
interface with no success.After pinging from the outside interface to
theses IPs I get two-way communication going. But just to the PIX not
the host mapped by the static command.
This behaviour is reproducible by clearing the arp entries on the host
and the gateway.
BTW the gateway is a Alpine 3808 and the host is switched through it to
access the PIX which is on a dedicated port there.
--
Sven
On Wed, Dec 10, 2003 at 08:10:41AM -0800, Voll, Scott wrote:
> Sven--
>
> On what interface are you pinging from? And what interface are you
> pinging to? What is the IP address of the PC?
>
> Scott
>
> -----Original Message-----
> From: Sven Huster [mailto:sven at huster.me.uk]
> Sent: Wednesday, December 10, 2003 2:14 AM
> To: cisco-nsp at puck.nether.net
> Subject: [nsp] PIX only avail after pinging from it
>
> Hi
>
> I got a PIX/UR running 6.3(1).
>
> It looks like it is only available e.g. for ICMP once it pinged the
> other end first.
> So I try to ping it and leave this running without any success.
> As soon as I ping the host from the PIX it also start to work the
other
> way round.
>
> Any ideas?
>
> Part of the config follows:
>
> interface ethernet0 100full
> interface ethernet1 100full
> interface ethernet1 vlan2 logical
> interface ethernet1 vlan3 logical
>
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif vlan2 dmz security10
> nameif vlan3 internal security90
>
> access-list compiled
> access-list ACL_OUTSIDE_IN permit icmp any any
> access-list ACL_OUTSIDE_IN permit ip host 10.0.0.1 any
> access-list ACL_OUTSIDE_IN permit ip host 10.0.0.2 any
> access-list ACL_DMZ_IN deny ip 192.168.254.0 255.255.255.0
192.168.254.0
> 255.255.255.0
> access-list ACL_DMZ_IN permit icmp any any
> access-list ACL_DMZ_IN permit ip any host 10.0.0.1
> access-list ACL_DMZ_IN permit ip any host 10.0.0.2
> access-list ACL_DMZ_IN permit udp any host 10.1.1.4 eq domain
> access-list ACL_DMZ_IN permit udp any host 10.1.1.5 eq domain
>
> icmp permit any outside
> icmp permit any inside
> icmp permit any dmz
> icmp permit any internal
>
> mtu outside 1500
> mtu inside 1500
>
> ip address outside 10.0.0.250 255.255.255.0
> ip address inside 192.168.155.254 255.255.255.0
> ip address dmz 192.168.254.254 255.255.255.0
> ip address internal 192.168.151.254 255.255.255.0
>
> arp timeout 14400
> static (dmz,outside) 10.0.0.50 192.168.254.1 netmask 255.255.255.255 0
0
>
> access-group ACL_OUTSIDE_IN in interface outside
> access-group ACL_DMZ_IN in interface dmz
>
> route outside 0.0.0.0 0.0.0.0 10.0.0.254 1
>
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
>
> Thanks
> Regards
> --
> Sven
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list