cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4066
Views
9
Helpful
16
Replies

Cannot Ping Servers in DMZ from Outside and

thebrom
Level 1
Level 1

Ok a few issues here.

I just installed a PIX515 replacing my 506. I have 3 interfaces now:

Inside 10.0.10.0/24

DMZ 10.0.20.0/24

Outside 64.69.117.0

I have attached my configuration, but here's my dilemna.

I have mapped a test box on the DMZ, and it's IP is 10.0.20.10, it's outside address is 64.69.117.29.

When I ping that address from an outside client, I get this reply in my Syslog:

03-08-2007 09:15:44 Local4.Critical 10.0.10.1 Mar 08 2007 09:13:34: %PIX-2-106028: Dropping invalid echo reply from inside:10.0.20.10 to outside:69.255.109.188, source address 10.0.20.10 should not match dynamic port translation, real inside:10.0.20.10/1, mapped outside:64.69.117.62/1

Now I know it is a translation problem but I am not sure where, do I need to do a static (inside,dmz) 10.0.10.0 10.0.10.0...?

Less importantly I have another issue:

My default gateway I added a route for the DMZ network, so even with the firewall shutdown, I can ping servers on the DMZ from the inside 10.0.10.0/24 network. Does that make sense? Or should I remove that route, and force all inside PCs to go through the firewall for access to the DMZ? I only ask because it seems that with that route I am defeating the purpose of a DMZ. Please advise?

Last question, like I said I can ping 10.0.20.0/24 network from the 10.0.10.0/24 network without the firewall at all, however for some reason I cannot ping the 10.0.20.4 DMZ interface itself from the 10.0.10.0/24 network, but I can ping that interface from the 10.0.20.0/24 network? What's wrong there?

thanks in advance, Rob

1 Accepted Solution

Accepted Solutions

Cool .. If you want to allow 10.0.10.0/24 network to be pingable from the DMZ host, you can add following command to PIX configuration-

static (inside,dmz) 10.0.10.0 10.0.10.0 netmask 255.255.255.0

clear xlate

Now from 10.0.10.0/24, you should be able to ping the DMZ host and vice-versa. Let me know if this helps.

Regards,

Vibhor.

View solution in original post

16 Replies 16

vitripat
Level 7
Level 7

There is one big issue here which would resolve most of the issues you are facing-

Network Loop.

You are right in saying that you should remove that extra route between inside network and DMZ network. Inside network should without exception pass through the firewall if they need to get to the DMZ network. Else the purpose of PIX is defeated.

Note following syslog message:

03-08-2007 09:15:44 Local4.Critical 10.0.10.1 Mar 08 2007 09:13:34: %PIX-2-106028: Dropping invalid echo reply from inside:10.0.20.10 to outside:69.255.109.188, source address 10.0.20.10 should not match dynamic port translation, real inside:10.0.20.10/1, mapped outside:64.69.117.62/1

In the above message, notice this part-

"Dropping invalid echo reply from inside:10.0.20.10"

This clearly indicates that due to network loop, DMZ machine is sending the reply via the inside interface (!!), whereas, it actually should send it from the DMZ interface. The default gateway of the DMZ hosts should be the DMZ interface and for the inside hosts should be the inside interface. Or I should say that if inside host need to pass traffic to any network, it should be via the inside interface of PIX and same for the DMZ.

ok so no real changes on my firewall, but rather on my default gateway router, and that should clear it up?

Actually it isn't a route I had on the def gate, it was nothing more than a secondary IP address on the FastEth0 interface.

I have removed that and still no luck, do I need to clear xlate? or add a static rute on the PIX for 10.0.20.0/24 out 10.0.10.4? I don't think they will allow me to do that, please advise.

Yes, nothing much on PIX. Once the route is removed, PIX will have a connected route to 10.0.10.0/22 network via inside interface IP, and to 10.0.20.0/24 network via DMZ interface IP. Do a "clear xlate" also on PIX. If possible, can you provide the config from the router also? To which interfaces of PIX is this router connected?

Ok I did a clear xlate and tried pinging from the outside to the DMZ and still get no reponse and syslog shows same error.

I can ping from the inside to the DMZ even without the secondary IP on the router.

I have attachjed router config.

Thie def gateway has only one interface, (Fasteth) andit routes things accordingly to everything else. It is only atteched to the inside interface of the firewall.

Thanks for the outputs. What is the default gateway IP of 10.0.20.10 ?

the def gateway of that is 10.0.10.15 which is that router I sent you.

That is still creating the same problem. Right now if you ping the public IP for DMZ host from outside, PIX directs the echo-request to the private IP of the host on DMZ. However, when DMZ tries to reply, it uses its routing table and sends the reply to the router. Therafter router sends the reply based on its routing table to pix inside interface IP, which will generate the same syslog as seen earlier.

As I stated earlier, could you please have the default gateway of the DMZ host be 10.0.20.4 ? Can DMZ host reach the PIX DMZ interface directly or it still has to go through the same router?

OK Vibhor, I am sorry I misunderstood, but I just switched the DMZ host's gateway to 10.0.20.4, and I can ping 10.0.20.4 from that host, but I cannot ping anything on the 10.0.10.0/24 network, and nothing on the 10.0.10.0/24 network can ping it.

However I can ping the DMZ host from an outside client using the 64.69.117.29 IP, so I am half way there.

Cool .. If you want to allow 10.0.10.0/24 network to be pingable from the DMZ host, you can add following command to PIX configuration-

static (inside,dmz) 10.0.10.0 10.0.10.0 netmask 255.255.255.0

clear xlate

Now from 10.0.10.0/24, you should be able to ping the DMZ host and vice-versa. Let me know if this helps.

Regards,

Vibhor.

that's gold! Thanks alot, problem solved!

spoke to soon.

It was working fine for a while and then all of the sudden all we had disruptions on the internal network, like outlook connectivity to exchange would hang, and I would RDP into a server and lose connectivity, all of this unrelated to the DMZ network as I am on the 10.0.10.0/24 network along with the servers themselves.

Now I removed the command:

static (inside,dmz) 10.0.10.0 10.0.10.0 netmask 255.255.255.0 0 0

and it resolved the issue, what gives?

It seems that there is still some sort of loop in the network. However we can make things work .. :-)

The reason you loose connectivity seems to be related to PIX doing proxy-arp for 10.0.10.0/24 network on the dmz interface with the static command in. Heres the work around .. reenter following commands on PIX-

static (inside,dmz) 10.0.10.0 10.0.10.0 netmask 255.255.255.0 0 0

sysopt noproxyarp dmz

Now things should work fine. PIX will not proxy-arp (which is the default behaviour) for 10.0.10.0/24 network now on the dmz interface. dmz hosts when attemting to send the traffic to 10.0.10.0/24 network will contact their default-gateway, which is pix's dmz interface. Then only PIX will create a translation and allow the traffic accordingly.

Let me know if this helps.

Regards,

Vibhor.

Ok, I entered it, I'll let you know what happens in about an hour or so. It makes sense!

Rob

this appears to have resolved the issue, thanks a million!

Now, is that typicl to have to enter the sysopt noproxyarp command in this situation? Or is it just solving my problem? In otherwords, is this something I should do everytime I create a DMZ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: