[nsp] PIX only avail after pinging from it

Stephen J. Wilcox steve at telecomplete.co.uk
Thu Dec 11 18:19:07 EST 2003 

I had this some time ago, only problem is I dont remember the exact cause or 
what the fix was.. um are you doing some slightly odd things with nat, possibly 
a static nat using one of the pix's own addresses?

Steve

On Wed, 10 Dec 2003, Sven Huster wrote:

> Hi
> 
> I got a PIX/UR running 6.3(1).
> 
> It looks like it is only available e.g. for ICMP once it pinged the other end first.
> So I try to ping it and leave this running without any success.
> As soon as I ping the host from the PIX it also start to work the other way round.
> 
> Any ideas?
> 
> Part of the config follows:
> 
> interface ethernet0 100full
> interface ethernet1 100full
> interface ethernet1 vlan2 logical
> interface ethernet1 vlan3 logical
> 
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif vlan2 dmz security10
> nameif vlan3 internal security90
> 
> access-list compiled
> access-list ACL_OUTSIDE_IN permit icmp any any
> access-list ACL_OUTSIDE_IN permit ip host 10.0.0.1 any
> access-list ACL_OUTSIDE_IN permit ip host 10.0.0.2 any
> access-list ACL_DMZ_IN deny ip 192.168.254.0 255.255.255.0 192.168.254.0 255.255.255.0
> access-list ACL_DMZ_IN permit icmp any any
> access-list ACL_DMZ_IN permit ip any host 10.0.0.1
> access-list ACL_DMZ_IN permit ip any host 10.0.0.2
> access-list ACL_DMZ_IN permit udp any host 10.1.1.4 eq domain
> access-list ACL_DMZ_IN permit udp any host 10.1.1.5 eq domain
> 
> icmp permit any outside
> icmp permit any inside
> icmp permit any dmz
> icmp permit any internal
> 
> mtu outside 1500
> mtu inside 1500
> 
> ip address outside 10.0.0.250 255.255.255.0
> ip address inside 192.168.155.254 255.255.255.0
> ip address dmz 192.168.254.254 255.255.255.0
> ip address internal 192.168.151.254 255.255.255.0
> 
> arp timeout 14400
> static (dmz,outside) 10.0.0.50 192.168.254.1 netmask 255.255.255.255 0 0
> 
> access-group ACL_OUTSIDE_IN in interface outside
> access-group ACL_DMZ_IN in interface dmz
> 
> route outside 0.0.0.0 0.0.0.0 10.0.0.254 1
> 
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> 
> Thanks 
> Regards
> --
> Sven
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list