Ok a few issues here.
I just installed a PIX515 replacing my 506. I have 3 interfaces now:
I have attached my configuration, but here's my dilemna.
I have mapped a test box on the DMZ, and it's IP is 10.0.20.10, it's outside address is 220.127.116.11.
When I ping that address from an outside client, I get this reply in my Syslog:
03-08-2007 09:15:44 Local4.Critical 10.0.10.1 Mar 08 2007 09:13:34: %PIX-2-106028: Dropping invalid echo reply from inside:10.0.20.10 to outside:18.104.22.168, source address 10.0.20.10 should not match dynamic port translation, real inside:10.0.20.10/1, mapped outside:22.214.171.124/1
Now I know it is a translation problem but I am not sure where, do I need to do a static (inside,dmz) 10.0.10.0 10.0.10.0...?
Less importantly I have another issue:
My default gateway I added a route for the DMZ network, so even with the firewall shutdown, I can ping servers on the DMZ from the inside 10.0.10.0/24 network. Does that make sense? Or should I remove that route, and force all inside PCs to go through the firewall for access to the DMZ? I only ask because it seems that with that route I am defeating the purpose of a DMZ. Please advise?
Last question, like I said I can ping 10.0.20.0/24 network from the 10.0.10.0/24 network without the firewall at all, however for some reason I cannot ping the 10.0.20.4 DMZ interface itself from the 10.0.10.0/24 network, but I can ping that interface from the 10.0.20.0/24 network? What's wrong there?
thanks in advance, Rob
Cool .. If you want to allow 10.0.10.0/24 network to be pingable from the DMZ host, you can add following command to PIX configuration-
static (inside,dmz) 10.0.10.0 10.0.10.0 netmask 255.255.255.0
Now from 10.0.10.0/24, you should be able to ping the DMZ host and vice-versa. Let me know if this helps.