PIX Firewall Problem

Unanswered Question
Mar 10th, 2008

I am again having strange problem. I have two servers in dmz. I want one server to go to internet and also communicate with one of the server located on outside with local ip address 172.28.92.72

My ASDM is showing me packet tracer successfuly without any problem. But when i try to ping from server on dmz to server located on outside i got the following error

Destination net unreachable.

Destination net unreachable.

Destination net unreachable.

Destination net unreachable.

I configured the same setting as for the server 2 with ip addresss 172.28.92.68.

But i want 172.28.92.72 to have static for internet but to communicate with outside server use same ip 172.28.92.72

access-list outside_acl extended permit ip host x.74.112.153 host 172.28.92.72

access-list nonat extended permit ip host 172.28.92.72 host x.74.112.153

static (edn,outside) x.223.188.39 172.28.92.72 netmask 255.255.255.255

telnet 172.28.92.72 255.255.255.255 edn

TDC-INT-525-01# sh run | in 172.28.92.68

access-list outside_acl extended permit ip x.223.188.0 255.255.255.0 host 172.28.92.68

access-list outside_acl extended permit ip host x.74.112.153 host 172.28.92.68

access-list nonat extended permit ip host 172.28.92.68 x.223.188.0 255.255.255.0

access-list nonat extended permit ip host 172.28.92.68 host x.74.112.153

nat (inside) 0 access-list nonat

nat (edn) 0 access-list nonat

please help me out

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sundar.palaniappan Mon, 03/10/2008 - 16:05

Have you checked whether the server on the outside knows how to route traffic back to 172.28.92.72? If it does can you look at the packet trace on the outside interface to see if you see response from the Server on the outside coming in?

wasiimcisco Mon, 03/10/2008 - 16:10

yes outside server has the route towards it. I am also getting hitcount on my outside firewall access-list.

see the snapshot of pkt tracer from outside interface to dmz. it is successful.

Attachment: 
sundar.palaniappan Mon, 03/10/2008 - 16:48

Interesting. Have you tried removing the static and check whether that made any difference. If not can you do a sniffer capture on the DMZ?

wasiimcisco Mon, 03/10/2008 - 17:16

if i removed the static it works as it is working with 172.28.92.68. But my requirement is to use static to use Internet.

right now i have removed teh nonat for 172.28.92.72 and using only static for Internet and outside server is accessing it via static ip addresses.

but dont know what is wrong with the static and nonat.

packet tracer is showing full success but when try to trace and ping

destination network unreachable.

Only nonat is working or either static is working not both at the same time.

sundar.palaniappan Mon, 03/10/2008 - 17:50

Glad it works!!

Can you do the static at port level for Internet access and that may be a workaround for you to get both working.

Moreover, can you use a different name for no-nat access list and that should be different from no-nat access list name for the inside interface. It really shouldn't matter but with all the caveats it's worth a try.

HTH

Sundar

Actions

This Discussion