Communication to both dmz address and inside address

mnieuwendijk · ‎01-08-2008

Hy.

I had an problem yesterday when i try to upgrade my fwsm from version 2.3 to 3.2.

In version 2.3 i was able to connect to an dmz address directly and to it's inside nat address.

But after the upgrade it was not possible anymore to connect to the dmz address. Connecting to its inside address was no problem.

Dmz addres is 10.0.225.51 natted inside address is 10.0.30.41.

In version 2.3 when i was pinging to address 10.0.224.51 i got an replay from 10.0.30.41.

Is this normal behaviour or is this an bug in version 2.3 and normal operation in version 3.2.

This is the only rule i configured

"static (DMZ_2244,inside) 10.0.30.41 10.0.224.51 netmask 255.255.255.255"

"static (inside,DMZ_2244) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 "

I saw no deny's in the acl logging.

So nothing is blocked.

Are there people with similar issues ?

Marc

a-vazquez · ‎01-14-2008

Just 2 commands is what you need to permit access from the DMZ FES to the Inside BES. Remember that depending on your translation timout (xlate timeout) if its at the default of 3 hours you will need to wait for this to timeout before this takes affect. Although a simple "clear xlate" will cause it to take immediate affect, but please remember that this command will cause temporary loss of connection through the PIX for all your traffic.