From dmz to subinterface on inside (PIX 515E)

Unanswered Question
May 18th, 2007

Hi,

I'm trying to get a few of our machines on dmz to communicate with a TSM server which is located on a subnet on the inside. But I can't get it to route traffic out on the subinterface I have created in the pix, it keeps using the dmz as output interface, instead of the subinterface.

Server on dmz: 192.168.50.5

Subinterface on inside interface: 192.168.120.250 (name: BackupLAN)

TSM server: 212.210.45.10 (name: TSMserver)

The following NATs are used:

static (BackupLAN,dmz) TSMserver TSMserver netmask 255.255.255.255

static (dmz,BackupLAN) 192.168.50.5 192.168.50.5 netmask 255.255.255.255

The following route is created:

route BackupLAN TSMserver 255.255.255.255 192.168.120.1 1 (192.168.120.1 is a switch which passes the traffic on to the TSM server)

There is also a security policy for incoming on dmz which only allows traffic with destination port 1500 to be passed on.

When running the Packet tracer in ASDM, the result is that the packet is allowed, but both input and output interface is dmz, output interface should be BackupLAN.

Is there something I have forgot to configure? Or is anything wrong configured?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
marasthlm Tue, 05/22/2007 - 23:33

Here are the routes:

Gateway of last resort is 62.118.159.65 to network 0.0.0.0

C 192.168.120.0 255.255.255.0 is directly connected, BackupLAN

S TSMserver 255.255.255.255 [1/0] via 192.168.120.1, BackupLAN

C 62.118.159.64 255.255.255.240 is directly connected, outside

C 192.168.50.0 255.255.255.0 is directly connected, dmz

C 192.168.12.0 255.255.255.0 is directly connected, inside

S* 0.0.0.0 0.0.0.0 [1/0] via 62.118.159.65, outside

laurent.geyer Fri, 05/18/2007 - 07:24

What security level is configured for BackupLAN and dmz? Also, which network does the TSMserver sit on?

marasthlm Tue, 05/22/2007 - 23:42

BackupLAN has securitylevel 100, dmz has 10

The TSMserver resides on a remote network. From the PIX the link goes via a local switch (192.168.120.1 in the configuration) and then to a remote switch (still in the .120 subnet) and then it reaches the TSMserver

Jon Marshall Wed, 05/23/2007 - 00:00

Hi

Firstly what is the second static doing ie.

static (dmz,BackupLAN) 192.168.50.5 192.168.50.5 netmask 255.255.255.255

This is not needed as far as i can see so maybe remove it and see if that makes any difference. I can't see why it would at the moment but your config/routing looks okay.

Also can you ping the TSMServer from the pix firewall itself

Jon

marasthlm Wed, 05/23/2007 - 06:56

It doesn't do much really. Put it there in case of need or something. But it's no difference without that NAT rule.

I can't ping the TSMserver from the PIX, eventhough I choose the BackupLAN interface in the ping console.

Actions

This Discussion