Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
570
Views
0
Helpful
8
Replies

Can't ping server in DMZ1 from Inside interface

slayerhawk
Level 1
Level 1

‎05-14-2008 10:23 AM - edited ‎03-09-2019 08:42 PM

Hi all, I cannot ping a server that has ip 62.15.25.25 from a server that exists on an Inside interface with the ip of 172.17.2.50.

In our PIX 515, I have the following references to our references to either server.

nat (inside) 2 172.17.2.50 255.255.255.255 0 0

static (inside,outside) tcp 62.15.25.26 smtp 172.17.2.50 smtp netmask 255.255.255.255 0 0

aaa-server authinbound (inside) host 172.17.2.50 testkey timeout 10

access-list 101 permit tcp host 62.15.25.25 any eq smtp

access-list 101 permit ip host 62.15.25.25 host 172.16.2.1

access-list 101 permit ip host 62.15.25.25 host 172.17.1.32

access-list 30 permit tcp any host 62.15.25.25 eq domain

access-list 30 permit udp any host 62.15.25.25 eq domain

static (dmz1,outside) 62.15.25.25 62.15.25.25 netmask 255.255.255.255 0 0

static (inside,dmz1) 62.15.25.25 172.17.2.120 netmask 255.255.255.255 0 0

Any ideas?

Labels:
0 Helpful
8 Replies 8

srue
Level 7
Level 7

‎05-14-2008 11:20 AM

you've only posted bits of the config....which are useless without other parts.

whatever acl is applied to your dmz interface, add something like:

access-list acl_name permit icmp any any echo-reply

or turn on icmp inspection if running 7.x or later.

0 Helpful

slayerhawk
Level 1
Level 1
In response to srue

‎05-14-2008 11:26 AM

I tried the echo-reply and it didn't work.

0 Helpful

acomiskey
Level 10
Level 10
In response to slayerhawk

‎05-14-2008 11:51 AM

What is this static supposed to do?

static (inside,dmz1) 62.15.25.25 172.17.2.120 netmask 255.255.255.255 0 0

All you should need is...

static (inside,dmz1) 172.17.2.0 172.17.2.0 netmask 255.255.255.0

Then ping 62.15.25.25

0 Helpful

slayerhawk
Level 1
Level 1
In response to acomiskey

‎05-14-2008 11:52 AM

I'm not sure what that static does, I am new to PIX.

0 Helpful

slayerhawk
Level 1
Level 1
In response to acomiskey

‎05-14-2008 11:53 AM

The interesting thing is that all other servers on the 172.17.2.0 subnet can ping the 62.15.25.25 address....Just 172.17.2.50 cannot ping it.

0 Helpful

slayerhawk
Level 1
Level 1
In response to slayerhawk

‎05-15-2008 05:10 AM

I found this statement in the PIX and I don't know what it does. Can someone explain what it does for me?

nat (inside) 2 172.17.2.50 255.255.255.255 0 0

I removed it from the PIX and my 172.17.2.50 server was then able to ping the 62.15.25.25 address.

Any ideas?

0 Helpful

acomiskey
Level 10
Level 10
In response to slayerhawk

‎05-15-2008 05:47 AM

There should also be a corresponding global statement with the number 2.

global (xxxxx) 2 ....

0 Helpful

slayerhawk
Level 1
Level 1
In response to acomiskey

‎05-15-2008 06:27 AM

I do have global statements that look like this, but they don't reference the ip address of 172.17.2.50.

global (outside) 2 xxx.xxx.xxx.xxx

global (outside) 2 xxx.xxx.xxx.xxx

global (outside) 2 xxx.xxx.xxx.xxx

These global statements only reference extneral ip addresses, but not the DMZ.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents