05-29-2007 07:37 AM - edited 03-11-2019 03:21 AM
I configured a PIX 506E with two internal vlans. One vlan is called DMZ and the other is called vlan4. I want a device on vlan DMZ to ping a device on vlan4. In order to make this possible, I needed to create an access. However, I can not get my access-list to work correctly.
This is a snapshot of my configuration:
interface ethernet1 vlan2 logical
interface ethernet1 vlan4 logical
nameif vlan4 vlan4 security4
nameif vlan2 dmz security50
!
access-list INTERNAL permit ip any 10.0.20.0 255.255.255.0
access-list INTERNAL permit ip any 10.0.30.0 255.255.255.0
access-list INTERNAL permit ip any any
!
access-group INTERNAL in interface vlan4
access-group INTERNAL in interface dmz
Even with this access-list that permit ALL traffic, I am unable to ping one end from another. The odd thing to me is that I do see matches after I try to ping an interface:
ccess-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
alert-interval 300
access-list INTERNAL; 3 elements
access-list INTERNAL line 1 permit ip any 10.0.20.0 255.255.255.0 (hitcnt=8)
access-list INTERNAL line 2 permit ip any 10.0.30.0 255.255.255.0 (hitcnt=0)
access-list INTERNAL line 3 permit ip any any (hitcnt=2)
Is there something I am forgetting to do in order to make the communication across two vlans possible?
Thanks,
05-29-2007 07:48 AM
You don't need this as traffic from higher to lower security is allowed.
no access-group INTERNAL in interface dmz
Add these to ping vlan4 from DMZ...
no access-group INTERNAL in interface vlan4
access-list vlan4_in permit icmp any
access-group vlan4 in interface vlan4
05-29-2007 09:53 AM
I've made the changes but it still does not work quite right. If I ping from the Vlan4 network to the Vlan2 network I see the ping come across the PIX but the machine that orginated the the ping does not receive a return packet. I believe this is due that each vlan is running PAT on the outside interface's IP address.
For example I saw the following:
36: ICMP echo-request from vlan4:10.0.30.2 to xxx.xxx.15.58 ID=512 seq=16896 length=40
37: ICMP echo-request: translating vlan4:10.0.30.2/512 to outside:xxx.xxx.15.52/2
38: ICMP echo-reply from outside:xxx.xxx.15.58 to xxx.xxx.15.52 ID=2 seq=16896 length=40
Do you think PAT is preventing me from pinging 10.0.30.x to 10.0.20.x?
05-29-2007 10:01 AM
Sorry, in your original post you said you wanted to ping from dmz to vlan 4. Which is what the statements I posted would allow. Does this part at least work?
Could you please post your entire config?
05-29-2007 10:18 AM
Below is the config with the passwords and snmp info removed:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet1 vlan2 logical
interface ethernet1 vlan4 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan2 dmz security50
nameif vlan4 vlan4 security4
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list vlan4_in permit icmp any 10.0.30.0 255.255.255.0 echo-reply
access-list vlan4_in permit icmp any 10.0.20.0 255.255.255.0 echo-reply
access-list vlan4_in permit ip any any
pager lines 24
icmp permit any dmz
icmp permit any vlan4
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.15.52 255.255.255.128
no ip address inside
ip address dmz 10.0.20.1 255.255.255.0
ip address vlan4 10.0.30.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
nat (vlan4) 1 0.0.0.0 0.0.0.0 0 0
access-group vlan4_in in interface vlan4
route outside 0.0.0.0 0.0.0.0 xxx.xxx.15.1 1
05-30-2007 12:10 PM
I believe PAT is causing my issue. Is it possible for me to create an ACL statement that will block the use of NAT for traffic that flows directly from Vlan 2 to Vlan 4 and vice versa?
05-30-2007 12:35 PM
Can you ping from dmz to vlan4?
The way your current acl is now, you would not be able to ping from .30 to .20. Just add this ace
access-list vlan4_in permit icmp any 10.0.20.0 255.255.255.0
05-31-2007 09:50 AM
Still doesn't work and here is why:
57: ICMP echo-request from dmz:10.0.20.2 to 10.0.30.2 ID=512 seq=2304 length=40
58: ICMP echo-request from vlan4:10.0.30.2 to xx.xx.36.248 ID=512 seq=2816 length=10
59: ICMP echo-request: translating vlan4:10.0.30.2/512 to outside:xx.xx.15.52/0
I'm trying to disable NAT when 10.0.20.2 pings 10.0.30.2 and vice versa but I'm having trouble writing an ACL that will do that.
05-31-2007 09:58 AM
access-list nat0 permit ip host 10.0.20.2 host 10.0.30.2
nat (dmz) 0 access-list nat0
05-31-2007 11:08 AM
That's the answer I was looking for. Thanks.
I changed the commands around a little bit but it works very well.
access-list no-nat permit ip 10.0.20.0 255.255.255.0 10.0.30.0 255.255.255.0
nat (dmz) 0 access-list no-nat
Specified what should be NAT'd in better detail.
nat (dmz) 1 10.0.20.0 255.255.255.0 0 0
nat (vlan4) 1 10.0.30.0 255.255.255.0 0 0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: