strange pix trouble

danilodicesare · ‎09-13-2007

Hi all,

i've got strange trouble with pix 535 [6.3(5)]:

preface, ACL are ok.

so....from inside to DMZ i've got a log like this:

%PIX-4-106023: Deny tcp src inside:10.xxx.xxx.xxx/46353 dst DMZ-fearehu:10.yyy.yyy.yyy/3389 by access-group "ACL-INSIDE"

but from outside to DMZ.....(same destination address)

%PIX-4-106023: Deny tcp src outside:10.zzz.zzz.zzz/46350 dst DMZ-fearehu:10.yyy.yyy.yyy/3389 by access-group "ACL-OUTSIDE"

route 10.yyy.yyy.yyy is directly connected and static are:

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

static (inside,DMZ-fearehu) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

static (DMZ-fearehu,outside) 10.yyy.yyy.yyy 10.yyy.yyy.yyy netmask 255.255.255.224 0 0

do i have to add

static (outside,DMZ-fearehu) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0?

i've tried with a host NAT (ip from outside and does't work, always route to inside instead to DMZ...i've tried also a add a host route also if is direcly connected beut..nothing)..

why do i see the wrong routing?

THK

PS: i've tried to sniff traffic, i can see syn entering to outside but not out from neither DMZ or inside....

Jon Marshall · ‎09-13-2007

Hi

Could you post the ACL's just to make sure. You do not need the statement

static (outside,DMZ-fearehu) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

as far as i can see.

So could you post output of

1) sh access-list

2) sh ip

3) sh route

Jon

danilodicesare · ‎09-13-2007

Hi,

acl now are permit ip any any everywhere.

attached all info....

and...just for reminder,

i can try to telnet from 10.115.255.7 (outside) to 10.115.129.1 (DMZ) and i see a acl log (permit) with dst inside (wrong one)

i try to telnet from 10.113.0.254 (inside) to 10.115.129.1 (DMZ) and i see a acl log (permit) with dst DMZ (right one)

thk a lot...

Jon Marshall · ‎09-13-2007

Hi

From first post

%PIX-4-106023: Deny tcp src inside:10.xxx.xxx.xxx/46353 dst DMZ-fearehu:10.yyy.yyy.yyy/3389 by access-group "ACL-INSIDE"

but from outside to DMZ.....(same destination address)

%PIX-4-106023: Deny tcp src outside:10.zzz.zzz.zzz/46350 dst DMZ-fearehu:10.yyy.yyy.yyy/3389 by access-group "ACL-OUTSIDE"

The acl messages suggest that it is picking the right interface to send it to ?. Apologies but what i am missing ?

Other thing is are you only ever initiating connections from inside ie. you never initiate a connection from the DMZ or the outside to a machine on the inside ?

if so replace

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

static (inside,DMZ-fearehu) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

with

nat (inside) 0 10.0.0.0 255.0.0.0

and clear xlate

Jon

danilodicesare · ‎09-13-2007

sorry...right messages were:

first one like previous

%PIX-4-106023: Deny tcp src inside:10.xxx.xxx.xxx/46353 dst DMZ-fearehu:10.yyy.yyy.yyy/3389 by access-group "ACL-INSIDE"

but from outside to DMZ.....(same destination address)

right message...inside is wrong :(

%PIX-4-106023: Deny tcp src outside:10.zzz.zzz.zzz/46350 dst INSIDE:10.yyy.yyy.yyy/3389 by access-group "ACL-OUTSIDE"

Jon Marshall · ‎09-13-2007

Okay, that makes a bit more sense :)

Could you try previous suggestion if possible.

Jon