Question : PIX 515e fw questions

Good morning to all.
I have some problems with my Cisco PIX 515e configuration and I'd appreciate your help.
My internal network is 192.168.1.0/24 connected to the FW inside interface (the PIX is doing NATing). The inside int. address is 192.168.1.101. The outside interface with the address 66.X.X.170 is connected to a small Cisco router's inside port . The routable network there 66.X.X.170/29, port's adderss is 66.X.X.169. The default route is outside 0.0.0.0 0.0.0.0 66.X.X.169 1 OTHER static. I also created the rules to allow echo-reply to get in and I permitted to ping both FW interfaces from the inside.
Q1: The users can get out OK. I can ping 192.168.1.101 from the stations and from PIX no problem. I can ping yahoo.com from the stations. I can ping both interfaces from PIX no problem. I CANNOT ping the gateway (66.X.X.169) or yahoo.com (by the address) from PIX (OK from the stations). I CANNOT ping the outside interface (66.X.X.170) from the stations. It's like the outside interface is not letting the pings out (or in?). What am I doing wrong?
Q2.: I have to kill the internet connection for some of the users (management requirement:(. I created the object on the inside int. with the internal IP address to test it. The access rule I am creating is (translated by PDM):
access-list inside_access_in deny ip host 192.168.1.23 any
access-group inside_access_in in interface inside
As soon as I hit Apply, all internet is cut for everyone (even pings are stopped). What am I missing?
Q3: There is a host on the outside interface with the address 66.X.X.168, which I didn't create. When I ping it from the inside station the reply comes from 66.X.X.169??? What is it?
I truly appreciate any help. Thank you for your time.
The current configuration is below:

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security40
enable password 2Tu2KsO8sbJlB.Bj encrypted
passwd 2Tu2KsO8sbJlB.Bj encrypted
hostname FW
domain-name ***.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.1.0 Internal
name 66.X.X.168 Internet <-- ???
name 192.168.1.16 amccabe
name 192.168.1.99 WebCamera
object-group service email tcp
port-object eq pop3
port-object eq pop2
port-object eq smtp
object-group network NoInternet
description To deny internet
network-object 192.168.1.23 255.255.255.255
object-group service WebCamera tcp-udp
port-object eq 3650
port-object eq 5066
port-object eq 3550
port-object eq 4550
port-object eq 5550
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any traceroute
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in permit icmp any any timestamp-reply
access-list outside_access_in permit icmp any any information-reply
access-list outside_access_in permit icmp any any mask-reply
access-list outside_access_in permit tcp any host 66.X.X.172 object-group WebCamera
access-list outside_access_in permit udp any host 66.X.X.172 object-group WebCamera
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full shutdown
icmp permit Internal 255.255.255.0 outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 66.X.X.170 255.255.255.248
ip address inside 192.168.1.101 255.255.255.0
ip address dmz 127.0.0.1 255.255.255.255
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.23 255.255.255.255 inside
pdm location 192.168.1.3 255.255.255.255 inside
pdm location 192.168.1.4 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.248 outside
pdm location amccabe 255.255.255.255 inside
pdm location WebCamera 255.255.255.255 inside
pdm location 66.X.X.0 255.255.255.0 outside
pdm location 66.X.X.172 255.255.255.255 outside
pdm group NoInternet inside
pdm logging errors 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0
static (inside,outside) 66.X.X.172 WebCamera netmask 255.255.255.255 0 0
static (outside,inside) WebCamera 66.X.X.172 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.X.X.169 1
route outside 66.X.X.172 255.255.255.255 WebCamera 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
ntp server 192.168.1.3 source inside prefer
http server enable
http 192.168.1.3 255.255.255.255 inside
http 192.168.1.4 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.1.3 c:\tftp-root
floodguard enable
sysopt noproxyarp inside
no sysopt route dnat
isakmp enable inside
isakmp identity address
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.1.3 255.255.255.255 inside
telnet timeout 5
ssh 192.168.1.3 255.255.255.255 inside
ssh timeout 5
username fwadmin password cQCgz/2psOeHGpOw encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
terminal width 80
Cryptochecksum:179683a8ef8149355e311733c60a7dde
: end
[OK]

Answer : PIX 515e fw questions

Q1:>I CANNOT ping the outside interface (66.X.X.170) from the stations.
Can't do it anyway. You can only ping the outside interface from the outside. That's just the way the PIX works.

Q2: you have to add another rule to the outbound acl:
access-list inside_access_in deny ip host 192.168.1.23 any
access-list inside_access_in permit ip any any

Q3: >host on the outside interface with the address 66.X.X.168
.168 is the network address with the subnet mask on the outside interface. If you ping a network address, all stations 'may' reply. In your case, .169 is the router's interface, and since .170 is your PIX interface, you can't get a reply from it (see Q1)

Hope this helps!

Random Solutions

Connecting to insecure wireless networks with XP SP1

How do I get VisualWeb JSF form data into a database using Netbeans 6.7

How to make a single domain controller/dns box an authoritative dns box

Change the Windows 2003 NTBackup catalog directory

Looking for GPS clock

faxing from the uk to unitedstates

Use Outlook Express

Cat 6 connection directly to the FIOS BOX

Clients not updating their DNS records after network address change