simple pix problem?

Answered Question
May 13th, 2007
User Badges:

Hi,

On a PIX 525, v6.3, I'm trying to create a static, and can't seem to get it to work.

My static command is:

static (dmz1,outside) 209.129.164.10 209.129.164.10 netmask 255.255.255.255 0 500

When I try to ping it, logg shows:

106014: Deny inbound icmp src outside:67.101.42.72 dst dmz1:209.129.164.10 (type 8, code 0)


When I try http://209.129.164.10, logg shows:

106001: Inbound TCP connection denied from 66.249.65.236/45593 to 209.129.164.10/80 flags SYN on interface outside


This PIX has no other statics. Another PIX I take care of has many statics - I have compared everything I can think of to compare between the two, but so far I can't find what I'm doing wrong.


One more piece of info: response to "sh xlate state static" varies. Sometimes the response includes 209.129.164.10, sometimes not. Attempts to ping and http produce the results above regardless of whether or not the address appears in the xlate table.


"System Messages" doc for v6.3 says "This message occurs when an attempt to connect to an inside address is denied by your security policy." But I don't see anything in the box's config that qualifies...


Any help will be most welcome...


Linnea

Correct Answer by Jon Marshall about 9 years 10 months ago

Hi Linnea


Could you post the config of the pix as the static entry looks fine so there might be something else in your config.


Have you checked your acl's.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (3 ratings)
Loading.
Correct Answer
Jon Marshall Sun, 05/13/2007 - 02:47
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Linnea


Could you post the config of the pix as the static entry looks fine so there might be something else in your config.


Have you checked your acl's.


Jon

linnea.wren Sun, 05/13/2007 - 10:22
User Badges:

Hi Jon, Joshua,


PIX config is attached. At the bottom of the file I include output of "sh route"


>"Have you checked your ACLs."

I haven't been thinking this was an ACL problem for 2 or 3 reasons.

1. When I do "sh access-list acl_dmz1", the hits on that ACL don't change in response to what I've tried.

2. My experience so far is that when an ACE is the culprit, the logg message will be "106023: Deny tcp ... by access-group "acl_outside""

3. The relevant ACL allows the 2 kinds of traffic I've been attempting (icmp & http).


However, I have been mistaken about the impact of one or another ACL before, so it wouldn't be too surprising to find there's an ACL component to this...



Attachment: 
linnea.wren Mon, 05/14/2007 - 14:43
User Badges:

Hi,


Problem solved - acl on the outside interface was incomplete, and acl on dmz1 interface was backwards. (turned out the additional params for permit icmp weren't needed, it was just a matter a including the necessary ACEs for outside, and correcting mistakes for the dmz.)


I still have a question, though.

There's a traffic flow concept that I understood as "Traffic flows from higher security interfaces to lower security interfaces." I thought that meant you didn't need ACEs to allow traffic from higher security interfaces to lower. Yet to get this to work, I had to have

...."permit proto any"

in an ACL applied to the DMZ interface.


My interfaces are thus:

nameif ethernet0 ... security0

nameif ethernet1 ... security100

nameif ethernet2 ... security10


The DMZ interface is ethernet2.

The outside interface is ethernet0


If "traffic flows higher to lower", why do I need an ACL to get a server in the DMZ to converse with the outside world?


acomiskey Mon, 05/14/2007 - 15:26
User Badges:
  • Green, 3000 points or more

You wouldn't...until you wanted to ping the server since icmp does not apply to what you have described above. So as soon as you created an acl into the dmz interface for icmp ping replies, you must then allow all other traffic because of the implicy deny ip any any at the end of the acl.

Actions

This Discussion