Pix 515 DMZ routing question

Answered Question
Jul 31st, 2008
User Badges:

Hi,

I have a public /24 address range that i want to apply to a DMZ on a pix 515. The outside interface on the pix is connected to a Cisco router using an private address 10.x.x.x This router is running bgp and eigrp. I need to advertise the DMZ range in BGP and allow traffic from the internet to the DMZ on the pix.The issue i seem to be having is getting the traffic from the router to the DMZ. At the moment there are no access-lists in place anywhere and the router has routes to the pix. By debugging icmp on the pix i can see the inbound icmp traffic hitting the pix ok but the pix doesnt reply. I have tried this with static and eigrp routes on both the router and pix.


Any help much appreciated...

Correct Answer by Farrukh Haroon about 8 years 9 months ago

No problem at all, many people are stumped by this :)


Please rate helpful posts.


Regards

Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Farrukh Haroon Thu, 07/31/2008 - 18:21
User Badges:
  • Red, 2250 points or more

If you don't apply an ACL on the outside interface (lower security) how will it communicate with the DMZ interface (higher security)? Also by the PIX/ASA rules you will not be able to ping the DMZ interface itself from the Router on the outside, Try to ping something 'behind' the DMZ interface, like a web-server etc.


Regards


Farrukh

clougher01 Thu, 07/31/2008 - 18:25
User Badges:

I did have an acl permit ip any any on the outside to start with but deleted to test..


Can i ask why i cant ping the DMZ interface from the outside router?

Farrukh Haroon Thu, 07/31/2008 - 18:37
User Badges:
  • Red, 2250 points or more

This is just one of the 'rules' in the Cisco Firewall perhaps to keep the firewal's zones 'stealth' in a way (I know its lame :) ).


You cannot ping any of its interfaces THROUGH another interface (by default). Put the ACL back and try to test using something other than ping.


outside-router#>telnet dmz-server


Regards


Farrukh

clougher01 Thu, 07/31/2008 - 18:44
User Badges:

Yup you were correct. Didn't know u cant ping DMZ int address.


Thanks very much all good now...

Correct Answer
Farrukh Haroon Thu, 07/31/2008 - 19:01
User Badges:
  • Red, 2250 points or more

No problem at all, many people are stumped by this :)


Please rate helpful posts.


Regards

Farrukh

Actions

This Discussion