Route without NAT between DMZs on PIX

Unanswered Question

I have 4 active interfaces on my PIX 520, Outside, Inside, DMZ1BU, and DMZ2BU. Inside, DMZ1BU and DMZ2BU can nat to outside just fine, everything on the DMZ has a static mapping to and Outside IP Address. I'm trying to route between the two DMZs and just can't get it to work. Here is the cut of the relevant part of the config.

interface ethernet0 100full

interface ethernet1 100full

interface ethernet4 auto

interface ethernet5 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet4 DMZ2BU security50

nameif ethernet5 DMZ1BU security40


access-list nonat_dmz1 permit ip host host

access-list nonat_dmz2 permit ip host host


ip address outside x.y.z.3

ip address inside

ip address DMZ2BU

ip address DMZ1BU

ip verify reverse-path interface outside


global (outside) 1 x.y.z.5

nat (outside) 0 access-list outside_nat0_inbound outside

nat (inside) 0 access-list 101

nat (inside) 1 0 0

nat (itf3) 1 0 0

nat (DMZ2BU) 0 access-list nonat_dmz2

nat (DMZ2BU) 1 0 0

nat (DMZ1BU) 0 access-list nonat_dmz1

nat (DMZ1BU) 1 0 0

static (DMZ1BU,outside) x.y.z.151 netmask 0 0

static (DMZ2BU,outside) x.y.z.170 netmask 0 0

access-group acl_outside in interface outside

access-group acl_dmz2 in interface DMZ2BU

access-group acl_dmz1 in interface DMZ1BU

route outside x.y.z.1 1

I really think systems on DMZ1 and DMZ2 should be able to ping each other without NATing with this config, but it doesn't work. Am I missing something really obvious? I'm attaching the full config in case there in information not here that is needed.

Thank you for your assistance. I've been searching online and everything I've found leads me to beleive my config is correct.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Fri, 10/19/2007 - 11:16
User Badges:
  • Green, 3000 points or more

Try this instead of the nat 0 commands...

no nat (DMZ1BU) 0 access-list nonat_dmz1

no nat (DMZ2BU) 0 access-list nonat_dmz2

static (DMZ2BU,DMZ1BU) netmask

I had tried that also, although I did do it the other way around with static (DMZ1BU,DMZ2BU) netmask, and it did not work either. I just tried it with your exacty commands and could still not ping

Do I need to clear xlate after making this change? I've looked at the xlate table and don't see any entries for this. I hate doing a full xlate table clear during the day.

acomiskey Fri, 10/19/2007 - 11:27
User Badges:
  • Green, 3000 points or more

You have not allowed icmp replies back into the DMZ1 interface....

access-list acl_dmz1 permit icmp any any echo-reply


access-list acl_dmz1 permit icmp any any

acomiskey Fri, 10/19/2007 - 11:40
User Badges:
  • Green, 3000 points or more

No problem, did you also add...?

access-list acl_dmz2 permit icmp any any

acomiskey Fri, 10/19/2007 - 11:54
User Badges:
  • Green, 3000 points or more

Weird, this shouln't be this hard. Want to post the new updated config?

acomiskey Fri, 10/19/2007 - 12:19
User Badges:
  • Green, 3000 points or more

Sorry, that's my bad, I was reading too fast...

no static (DMZ2BU,DMZ1BU) netmask 0 0

static (DMZ2BU,DMZ1BU) netmask 0 0

clear xlate

acomiskey Fri, 10/19/2007 - 12:40
User Badges:
  • Green, 3000 points or more

That's crazy. Time to start logging on the pix when you try to ping. You are trying to ping from 10.10.12.x to 10.10.15.x right. Try to get some logging going to see what the pix is saying as you ping.

Hmm, ok, doing a debug icmp trace if I ping from to on the outside I see all the records and it looks fine, which is good because that works. But if from I ping, there is no record in the debug, none at all.

The only thing that I can think of is that all of these servers have static mapping to outside. Does that superseed the static (dmz1bu,dmz2bu) ... and the nat 0 lines because it comes first?

slayerhawk Wed, 05/14/2008 - 10:18
User Badges:

Did you ever figure this out? I have a similar issue and am confused.


This Discussion