strange pix trouble

Unanswered Question
Sep 13th, 2007
User Badges:

Hi all,

i've got strange trouble with pix 535 [6.3(5)]:

preface, ACL are ok.


so....from inside to DMZ i've got a log like this:

%PIX-4-106023: Deny tcp src inside:10.xxx.xxx.xxx/46353 dst DMZ-fearehu:10.yyy.yyy.yyy/3389 by access-group "ACL-INSIDE"


but from outside to DMZ.....(same destination address)


%PIX-4-106023: Deny tcp src outside:10.zzz.zzz.zzz/46350 dst DMZ-fearehu:10.yyy.yyy.yyy/3389 by access-group "ACL-OUTSIDE"


route 10.yyy.yyy.yyy is directly connected and static are:

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

static (inside,DMZ-fearehu) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

static (DMZ-fearehu,outside) 10.yyy.yyy.yyy 10.yyy.yyy.yyy netmask 255.255.255.224 0 0


do i have to add

static (outside,DMZ-fearehu) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0?

i've tried with a host NAT (ip from outside and does't work, always route to inside instead to DMZ...i've tried also a add a host route also if is direcly connected beut..nothing)..


why do i see the wrong routing?


THK


PS: i've tried to sniff traffic, i can see syn entering to outside but not out from neither DMZ or inside....

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Jon Marshall Thu, 09/13/2007 - 03:30
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Could you post the ACL's just to make sure. You do not need the statement


static (outside,DMZ-fearehu) 10.0.0.0 10.0.0.0 netmask 255.0.0.0


as far as i can see.


So could you post output of


1) sh access-list

2) sh ip

3) sh route


Jon

danilodicesare Thu, 09/13/2007 - 05:17
User Badges:

Hi,


acl now are permit ip any any everywhere.


attached all info....


and...just for reminder,


i can try to telnet from 10.115.255.7 (outside) to 10.115.129.1 (DMZ) and i see a acl log (permit) with dst inside (wrong one)


i try to telnet from 10.113.0.254 (inside) to 10.115.129.1 (DMZ) and i see a acl log (permit) with dst DMZ (right one)


thk a lot...



Attachment: 
Jon Marshall Thu, 09/13/2007 - 05:33
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


From first post


%PIX-4-106023: Deny tcp src inside:10.xxx.xxx.xxx/46353 dst DMZ-fearehu:10.yyy.yyy.yyy/3389 by access-group "ACL-INSIDE"


but from outside to DMZ.....(same destination address)


%PIX-4-106023: Deny tcp src outside:10.zzz.zzz.zzz/46350 dst DMZ-fearehu:10.yyy.yyy.yyy/3389 by access-group "ACL-OUTSIDE"



The acl messages suggest that it is picking the right interface to send it to ?. Apologies but what i am missing ?



Other thing is are you only ever initiating connections from inside ie. you never initiate a connection from the DMZ or the outside to a machine on the inside ?


if so replace


static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

static (inside,DMZ-fearehu) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0



with


nat (inside) 0 10.0.0.0 255.0.0.0


and clear xlate


Jon


danilodicesare Thu, 09/13/2007 - 05:38
User Badges:

sorry...right messages were:


first one like previous

%PIX-4-106023: Deny tcp src inside:10.xxx.xxx.xxx/46353 dst DMZ-fearehu:10.yyy.yyy.yyy/3389 by access-group "ACL-INSIDE"


but from outside to DMZ.....(same destination address)


right message...inside is wrong :(

%PIX-4-106023: Deny tcp src outside:10.zzz.zzz.zzz/46350 dst INSIDE:10.yyy.yyy.yyy/3389 by access-group "ACL-OUTSIDE"



Jon Marshall Thu, 09/13/2007 - 05:43
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Okay, that makes a bit more sense :)


Could you try previous suggestion if possible.


Jon

Actions

This Discussion