unable to ping router interfaces which is directly conn to firewall dmz's

Unanswered Question
Jan 28th, 2008
User Badges:

Hi,

Kindly find the attached file.In this unable ping router2 to router1 F0/0 interfaces and vise versa,eventhough it is directly connected to firewall dmz's.I have checked the router routes seems to be fine.Please provide me the solution as soon.Thanks in advance





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
ajagadee Mon, 01/28/2008 - 21:33
User Badges:
  • Cisco Employee,

You need to configure STATIC for traffic to flow from one DMZ to another. Please refer the below URL for details:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml


If you have already configured the statics and still its not working, can you post the STATIC configuration from the pix.


Regards,

Arul


** Please rate all helpful posts **



sureshkum Mon, 01/28/2008 - 22:07
User Badges:

Hi Arul,


Thanks a lot for ur response.Already i have applied static also but still unable to.In my pix 535 with 6 interfaces.i wanted to extablish connectivity b/w two dmz's.have u seen the digram arul.firwall dmz'z are connectd to the routers f0.need to access one host from router2 to router 1


static (dmz11,dmz22) 172.16.0.0 172.16.0.0 netmask 255.240.0.0

manjesin Mon, 01/28/2008 - 21:57
User Badges:

What i understand .. We want to ping from 172.30.8.10 to 172.30.8.18 and vise versa..


Here are the steps you can try:-

* ping both routers first from the firewall itself .. if not then need to troubleshoot that first.

* defualt gateways of route should be dmz interfaces ip address


* Ping from R1 to R2

Since dmz11 security level 40 and dmz22 is at 30 .. you require nat and global static


nat (dmz11) 1 0 0

global (dmz22) 1 interface ..


allow icmp on interface and you will be able to ping ..


* Ping from R2 to R1

If you want to access or ping dmz22 to dmz11 need static statement .. traffic going for lower to higher security


static (dmmz11,dmz22) 172.30.8.10 172.30.8.10 netmask 255.255.255.255

allow icmp access-list .. you should be able to ping ..


See these step helps .. if it works for you pls rate the steps so that other can take benefit of thiss forum.


Thanks

sureshkum Mon, 01/28/2008 - 23:51
User Badges:

hi manjesin,

Thanks for ur response too.I having some more doubts,kindly clarify..


* i can ping router f0 int from firewall int.


* Inorder to access from R2 to R1 the static nat like bellow i think so,

static (dmz11,dmz22) 172.30.8.18 172.30.8.18 netmask 255.255.255.255


static ip's should be higher interface....? Is it?


the problem is router2 is connected to one more router3.So my concern is i need to access from router3 to router1 in my above diagm.for that i have been trying to ping first both(r2, r1) the router interfaces atleast.



i will try for all ur valuable options and kindly find the attached network diagm file and provide me firewall config and router routes.....plz









manjesin Wed, 01/30/2008 - 10:30
User Badges:



Here is n/w topology


R1---------firewall------R2------R3


Yes, in static statement we will be providing the ip address of the higher network which we want to access..

example given before and need to open access-list

static (dmz11,dmz22) 172.30.8.18 172.30.8.18 netmask 255.255.255.255

access-list 101 permit ip any host 172.30.8.18

access-group 101 in interface dmz22


If your default gateway on router2 and router3 is not dmz22 interface ip address then we need to give routes on routers..


for example


ip route 172.30.8.0 255.255.255.248 172.30.8.17


We are indicating if somebody dehind router3 want to reach 172.30.8.18 then traffic should be sent to 172.30.8.17 which is firewall dmz22 ..once the traffic reaches firewall static will come into picture


Here is a link to configure routes on Router

http://www.cisco.com/en/US/docs/routers/access/1800/1801/software/configuration/guide/routconf.html#wp1123657


Hope this helps

manjesin Wed, 01/30/2008 - 10:33
User Badges:

hi,


make sure you also open icmp any any on dmz22 and dmz11 interface

since icmp is not allowed on firewall by default

Actions

This Discussion