Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
334
Views
0
Helpful
5
Replies

Pix 515 DMZ routing question

Go to solution
clougher01
Level 1
Level 1

‎07-31-2008 04:30 PM - edited ‎03-11-2019 06:23 AM

Hi,

I have a public /24 address range that i want to apply to a DMZ on a pix 515. The outside interface on the pix is connected to a Cisco router using an private address 10.x.x.x This router is running bgp and eigrp. I need to advertise the DMZ range in BGP and allow traffic from the internet to the DMZ on the pix.The issue i seem to be having is getting the traffic from the router to the DMZ. At the moment there are no access-lists in place anywhere and the router has routes to the pix. By debugging icmp on the pix i can see the inbound icmp traffic hitting the pix ok but the pix doesnt reply. I have tried this with static and eigrp routes on both the router and pix.

Any help much appreciated...

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to clougher01

‎07-31-2008 07:01 PM

No problem at all, many people are stumped by this :)

Please rate helpful posts.

Regards

Farrukh

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎07-31-2008 06:21 PM

If you don't apply an ACL on the outside interface (lower security) how will it communicate with the DMZ interface (higher security)? Also by the PIX/ASA rules you will not be able to ping the DMZ interface itself from the Router on the outside, Try to ping something 'behind' the DMZ interface, like a web-server etc.

Regards

Farrukh

0 Helpful

Go to solution
clougher01
Level 1
Level 1
In response to Farrukh Haroon

‎07-31-2008 06:25 PM

I did have an acl permit ip any any on the outside to start with but deleted to test..

Can i ask why i cant ping the DMZ interface from the outside router?

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to clougher01

‎07-31-2008 06:37 PM

This is just one of the 'rules' in the Cisco Firewall perhaps to keep the firewal's zones 'stealth' in a way (I know its lame :) ).

You cannot ping any of its interfaces THROUGH another interface (by default). Put the ACL back and try to test using something other than ping.

outside-router#>telnet dmz-server

Regards

Farrukh

0 Helpful

Go to solution
clougher01
Level 1
Level 1
In response to Farrukh Haroon

‎07-31-2008 06:44 PM

Yup you were correct. Didn't know u cant ping DMZ int address.

Thanks very much all good now...

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to clougher01

‎07-31-2008 07:01 PM

No problem at all, many people are stumped by this :)

Please rate helpful posts.

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card