PIX Firewall Problem

Unanswered Question
Mar 10th, 2008
User Badges:

I am again having strange problem. I have two servers in dmz. I want one server to go to internet and also communicate with one of the server located on outside with local ip address 172.28.92.72


My ASDM is showing me packet tracer successfuly without any problem. But when i try to ping from server on dmz to server located on outside i got the following error


Destination net unreachable.

Destination net unreachable.

Destination net unreachable.

Destination net unreachable.


I configured the same setting as for the server 2 with ip addresss 172.28.92.68.


But i want 172.28.92.72 to have static for internet but to communicate with outside server use same ip 172.28.92.72


access-list outside_acl extended permit ip host x.74.112.153 host 172.28.92.72

access-list nonat extended permit ip host 172.28.92.72 host x.74.112.153

static (edn,outside) x.223.188.39 172.28.92.72 netmask 255.255.255.255

telnet 172.28.92.72 255.255.255.255 edn




TDC-INT-525-01# sh run | in 172.28.92.68

access-list outside_acl extended permit ip x.223.188.0 255.255.255.0 host 172.28.92.68

access-list outside_acl extended permit ip host x.74.112.153 host 172.28.92.68

access-list nonat extended permit ip host 172.28.92.68 x.223.188.0 255.255.255.0

access-list nonat extended permit ip host 172.28.92.68 host x.74.112.153




nat (inside) 0 access-list nonat

nat (edn) 0 access-list nonat


please help me out



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sundar.palaniappan Mon, 03/10/2008 - 16:05
User Badges:
  • Green, 3000 points or more

Have you checked whether the server on the outside knows how to route traffic back to 172.28.92.72? If it does can you look at the packet trace on the outside interface to see if you see response from the Server on the outside coming in?

wasiimcisco Mon, 03/10/2008 - 16:10
User Badges:

yes outside server has the route towards it. I am also getting hitcount on my outside firewall access-list.


see the snapshot of pkt tracer from outside interface to dmz. it is successful.



Attachment: 
sundar.palaniappan Mon, 03/10/2008 - 16:48
User Badges:
  • Green, 3000 points or more

Interesting. Have you tried removing the static and check whether that made any difference. If not can you do a sniffer capture on the DMZ?

wasiimcisco Mon, 03/10/2008 - 17:16
User Badges:

if i removed the static it works as it is working with 172.28.92.68. But my requirement is to use static to use Internet.


right now i have removed teh nonat for 172.28.92.72 and using only static for Internet and outside server is accessing it via static ip addresses.


but dont know what is wrong with the static and nonat.


packet tracer is showing full success but when try to trace and ping


destination network unreachable.


Only nonat is working or either static is working not both at the same time.

sundar.palaniappan Mon, 03/10/2008 - 17:50
User Badges:
  • Green, 3000 points or more

Glad it works!!


Can you do the static at port level for Internet access and that may be a workaround for you to get both working.


Moreover, can you use a different name for no-nat access list and that should be different from no-nat access list name for the inside interface. It really shouldn't matter but with all the caveats it's worth a try.


HTH


Sundar

Actions

This Discussion