09-13-2007 01:44 AM - edited 03-11-2019 04:10 AM
Hi all,
i've got strange trouble with pix 535 [6.3(5)]:
preface, ACL are ok.
so....from inside to DMZ i've got a log like this:
%PIX-4-106023: Deny tcp src inside:10.xxx.xxx.xxx/46353 dst DMZ-fearehu:10.yyy.yyy.yyy/3389 by access-group "ACL-INSIDE"
but from outside to DMZ.....(same destination address)
%PIX-4-106023: Deny tcp src outside:10.zzz.zzz.zzz/46350 dst DMZ-fearehu:10.yyy.yyy.yyy/3389 by access-group "ACL-OUTSIDE"
route 10.yyy.yyy.yyy is directly connected and static are:
static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (inside,DMZ-fearehu) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (DMZ-fearehu,outside) 10.yyy.yyy.yyy 10.yyy.yyy.yyy netmask 255.255.255.224 0 0
do i have to add
static (outside,DMZ-fearehu) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0?
i've tried with a host NAT (ip from outside and does't work, always route to inside instead to DMZ...i've tried also a add a host route also if is direcly connected beut..nothing)..
why do i see the wrong routing?
THK
PS: i've tried to sniff traffic, i can see syn entering to outside but not out from neither DMZ or inside....
09-13-2007 03:30 AM
Hi
Could you post the ACL's just to make sure. You do not need the statement
static (outside,DMZ-fearehu) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
as far as i can see.
So could you post output of
1) sh access-list
2) sh ip
3) sh route
Jon
09-13-2007 05:17 AM
Hi,
acl now are permit ip any any everywhere.
attached all info....
and...just for reminder,
i can try to telnet from 10.115.255.7 (outside) to 10.115.129.1 (DMZ) and i see a acl log (permit) with dst inside (wrong one)
i try to telnet from 10.113.0.254 (inside) to 10.115.129.1 (DMZ) and i see a acl log (permit) with dst DMZ (right one)
thk a lot...
09-13-2007 05:33 AM
Hi
From first post
%PIX-4-106023: Deny tcp src inside:10.xxx.xxx.xxx/46353 dst DMZ-fearehu:10.yyy.yyy.yyy/3389 by access-group "ACL-INSIDE"
but from outside to DMZ.....(same destination address)
%PIX-4-106023: Deny tcp src outside:10.zzz.zzz.zzz/46350 dst DMZ-fearehu:10.yyy.yyy.yyy/3389 by access-group "ACL-OUTSIDE"
The acl messages suggest that it is picking the right interface to send it to ?. Apologies but what i am missing ?
Other thing is are you only ever initiating connections from inside ie. you never initiate a connection from the DMZ or the outside to a machine on the inside ?
if so replace
static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (inside,DMZ-fearehu) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
with
nat (inside) 0 10.0.0.0 255.0.0.0
and clear xlate
Jon
09-13-2007 05:38 AM
sorry...right messages were:
first one like previous
%PIX-4-106023: Deny tcp src inside:10.xxx.xxx.xxx/46353 dst DMZ-fearehu:10.yyy.yyy.yyy/3389 by access-group "ACL-INSIDE"
but from outside to DMZ.....(same destination address)
right message...inside is wrong :(
%PIX-4-106023: Deny tcp src outside:10.zzz.zzz.zzz/46350 dst INSIDE:10.yyy.yyy.yyy/3389 by access-group "ACL-OUTSIDE"
09-13-2007 05:43 AM
Okay, that makes a bit more sense :)
Could you try previous suggestion if possible.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide