Skip to main content

PIX 515 PING PROBLEM

More
13 years 6 months ago #35536 by Givenchy
PIX 515 PING PROBLEM was created by Givenchy
Hi everyone, am new to PIX configuration. Am facing a serious issue, i have a front ROUTER and a back ROUTER, and my PIX 515 (with outside, inside and DMZ interface) is in between. The ideal is that the front router should bring in the internet and also forward smtp mails to the PIX DMZ interface. The issue is that the smtp mails cannot get to my PIX DMZ interface. I discover that I cannot ping the outside and inside interface from the mail server connected to the DMZ interface.

What is it that i am doing wrong, my configurations is below. Pls i need help.

NGC-ROUTER-1 FRONT-ROUTER

interface GigabitEthernet0/0
description This interface connect to IDIRECT Modem
ip address 81.255.50.70 255.255.255.248
ip nat inside
duplex auto
speed auto
!
interface GigabitEthernet0/1
description This interface connect to CISCO ASA 5505 OUTSIDE INTERFACE
ip address 201.100.10.1 255.255.255.248
ip access-group 100 in
ip nat outside
duplex full
speed 100
!
interface Vlan1
no ip address
shutdown
!
ip nat pool NGC 81.255.50.70 81.255.50.70 netmask 255.255.255.248
ip nat inside source list 1 pool NGC overload
ip nat inside source static tcp 201.100.10.3 23 81.255.50.70 23
ip nat inside source static tcp 201.100.10.3 25 81.255.50.70 25
ip classless
ip route 0.0.0.0 0.0.0.0 80.255.50.57
!
!
access-list 1 permit 201.100.10.0 0.0.0.255
access-list 100 permit tcp any eq telnet host 81.255.50.70 eq telnet
access-list 100 permit tcp any eq smtp host 81.255.50.70 eq smtp
access-list 100 permit icmp any any
access-list 100 permit icmp any any unreachable
access-list 100 permit ip any any
!
!
!
!
end



PIXFIREWALL-CONFIG

PIX Version 7.0(Cool
!
hostname NGCPIX01
enable password Kv/LCJk1mbXBigzF encrypted
passwd Kv/LCJk1mbXBigzF encrypted
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address 201.100.10.2 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.20.0.1 255.255.0.0
!
interface Ethernet2
speed 100
nameif DMZ
security-level 50
ip address 10.50.1.1 255.255.255.240
!
boot system flash:/image.bin
ftp mode passive
access-list dmz-in extended permit ip host 10.50.1.2 any
access-list dmz-in extended permit tcp 10.20.0.0 255.255.0.0 host 10.50.1.2
access-list out-in extended permit tcp any host 201.100.10.3 eq smtp
access-list out-in extended permit tcp any host 201.100.10.3 eq telnet
access-list out-in extended permit tcp any host 201.100.10.3 eq www
access-list out-in extended permit tcp any host 201.100.10.3 eq https
access-list out-in extended permit tcp any host 201.100.10.3 eq echo
access-list out-in extended permit udp any host 201.100.10.3 eq echo
access-list out-in extended permit udp any host 201.100.10.3 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool client_VPN 10.20.0.251-10.20.0.254
icmp permit any outside
icmp permit any inside
icmp permit any DMZ
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 10.40.0.2 255.255.255.255
nat (inside) 1 10.40.0.3 255.255.255.255
nat (inside) 1 10.40.0.5 255.255.255.255
nat (inside) 1 10.40.0.6 255.255.255.255
nat (inside) 1 10.40.0.7 255.255.255.255
nat (inside) 1 10.40.0.9 255.255.255.255
nat (inside) 1 10.40.0.10 255.255.255.255
nat (DMZ) 1 0.0.0.0 0.0.0.0
static (inside,DMZ) 10.20.0.0 10.20.0.0 netmask 255.255.0.0
static (inside,outside) 201.100.10.3 10.40.0.3 netmask 255.255.255.255
access-group out-in in interface outside
access-group dmz-in in interface DMZ
route outside 0.0.0.0 0.0.0.0 201.100.10.1 1
route inside 10.40.0.0 255.255.0.0 10.20.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy ngc_group internal
group-policy ngc_group attributes
dns-server value 10.40.0.6
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
default-domain value ngc-nnpcgroup.com
username admin password 6IxYXK3bT/BJ.g8. encrypted
http server enable
http 10.20.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) none
tunnel-group 81.255.71.70 type ipsec-l2l
tunnel-group 81.255.71.70 ipsec-attributes
pre-shared-key *
tunnel-group ngc_group type ipsec-ra
tunnel-group ngc_group general-attributes
address-pool client_VPN
authentication-server-group (outside) none
default-group-policy ngc_group
tunnel-group ngc_group ipsec-attributes
pre-shared-key *
tunnel-group 201.100.10.3 type ipsec-l2l
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:86491db6f92804019b3bd272a741bd4c
: end
[OK]

NGC-ROUTER-2 BACK-ROUTER

interface FastEthernet0/0
description This interface connect to CISCO ASA 5505 INSIDE INTERFACE
ip address 10.20.0.2 255.255.0.0
duplex auto
speed auto
!
interface FastEthernet0/1
description This interface connect to NGC LAN
ip address 10.40.0.2 255.255.0.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.20.0.1
!
!
!
!
end
Time to create page: 0.141 seconds