Re: Help config Pix 501 . . . please

From: roberson@xxxxxxxxxxxxxxxxxx (Walter Roberson)
Date: Mon, 12 Sep 2005 03:08:11 +0000 (UTC)

In article <1126493297.078504.294320@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
millsusaf <ebrianmills@xxxxxxxxx> wrote:
:From inside the network I can get out, and from outside the network I
:can get in and ping a couple of devices but I can not get back out to
:the internet.

You can't do that with a PIX 501.

:I also can not get the the pix (192.168.69.1).

You can only ping your "closest" interface, unless you are using
a management VPN.

: Also
:when I the pix gives me my ip (VPNd in) I get a 172.168.69.1 as a
:gateway. Is this correct?

Possibly accurate, but certainly not "correct".

:Here is my config:

:PIX Version 6.3(1)

You need to upgrade to at least 6.3(4), as there are significant
security issues with 6.3(1) and 6.3(3). The upgrade is free from
6.3(1) to 6.3(4). Search cisco's site for "PIX security advisories"
for more details.

:access-list 101 permit ip 192.168.69.0 255.255.255.0 172.168.69.0 255.255.255.0

:ip address inside 192.168.69.1 255.255.255.0
:ip local pool ippool 172.168.69.1-172.168.69.15

I doubt you work for America Online (AOL), so it's not a good
idea to be using their IP address space, 172.128.0.0 - 172.191.255.255

Your inside address space is 192.168.69/24, which is fine as
that is part of the RFC1918 reserved private address spaces. But
172.168.69/24 is public IP space. The RFC1918 reserved private 172.*
address spaces are 172.16.0.0 through 172.31.255.255.
I suggest you choose a different IP space for your VPN -- something
like 192.168.70/24 or 192.168.169/24 .
--
"I will speculate that [...] applications [...] could actually see a
performance boost for most users by going dual-core [...] because it
is running the adware and spyware that [...] are otherwise slowing
down the single CPU that user has today" -- Herb Sutter
.

References:
- Re: Help config Pix 501 . . . please
  - From: Martin Bilgrav

Prev by Date: Re: [newbie]Pix 515 - How to recognize Pix version : failover or restricted or UR
Next by Date: Re: PIX 501 or 851/871 router?
Previous by thread: Re: Help config Pix 501 . . . please
Next by thread: Re: Help config Pix 501 . . . please
Index(es):
- Date
- Thread

Relevant Pages

Re: Exchange 2003 denying email from SGI client.
... > I'm not sure how/why you're trying to relay thru raven.sopo.com. ... Here is the scoop on network layout. ... The PIX is handling address translation between 9.150.1.xxx ... ping any 9.150.1.xxx addresses, though raven can resolve ...
(microsoft.public.exchange.setup)
Re: Exchange 2003 denying email from SGI client.
... > I'm not sure how/why you're trying to relay thru raven.sopo.com. ... Here is the scoop on network layout. ... The PIX is handling address translation between 9.150.1.xxx ... ping any 9.150.1.xxx addresses, though raven can resolve ...
(comp.sys.sgi.misc)
PIX 515E dropping existing TCP connections
... I recently took over administration of a PIX 515E. ... network, and VPN to the PIX to access a private network. ... When the VPN is connected, I can SSH to hosts on the private network. ... PIX drops the connection after transferring just a few kilobytes. ...
(comp.dcom.sys.cisco)
Re: [fw-wiz] bypassing PIX limitation
... setup another Pix box who's sole purpose is to connect to the ... Hopefully the following information will be clearer: The network behind ... assign the outside ip block from the partner to your global ... Can packets going into a VPN tunnel be NATed? ...
(Firewall-Wizards)
[fw-wiz] Followup: An interesting VPN problem
... - Repeat above steps for the remote PIX, ... all traffic on the remote network is pushed ... > (including the traffic that should ultimately end up on the Internet). ... > that to work (using source routing), but I'd like to use a peripheral ...
(Firewall-Wizards)