DMZ setup

Unanswered Question
Dec 8th, 2008

Hello everyone,

I have a small problem I am hoping someone can offer some assistance with.

I have set up a test network using a pix 515e, and a 3750g switch. I have 1 interface on the pix in the 10.10.1.1 network, which is my internal lan. I have another interface on the pix with IP address 10.10.2.1, which is my DMZ network.

Both interfaces patch into the 3750g, the internal pix interface into port 1/0/1, and the DMZ interface into 1/0/15. Vlan 1 on the switch has IP address 10.10.1.250.

I also have 2 servers in vlan99 (dmz vlan) on the switch, which 1/0/15 is also a member of. Vlan 99 has IP address 10.10.2.250. The 2 servers have a default gateway of 10.10.2.1 (dmz interface on the pix). These 2 servers cannot ping the default gateway, but I can ping the servers from the switch.

There is only 1 route on the switch which is the default route to 10.10.1.1.

Does anyone know why I cannot reach the DMZ interface on the pix from the switch? ICMP is allowed on the pix interface.

Any assistance would be greatly appreciated.

Thanks

n

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 12/08/2008 - 03:10

How have you allowed ICMP on the pix interface ?

Do the servers only have one NIC ?

Are your subnet masks consistent.

What version of pix software are you running ?

The pix DMZ interface and the server ports are all allocated into vlan 99 and this exists as a L2 vlan on the 3750g ?

Jon

Gatling_uk Mon, 12/08/2008 - 03:16

Thanks for the quick reply.

Pix version 7.2

ICMP permit any any inbound on the pix dmz interface (just for testing).

Subnet masks are all consistent.

Only 1 NIC per server, patched directly into the switch.

Sorry, the dmz interface on the pix is unallocated , it is in the default vlan. The 2 servers are both in vlan 99 and I have now removed the IP address allocation from that vlan. Was just tinkering with it earlier.

Thanks again.

Jon Marshall Mon, 12/08/2008 - 03:23

Christopher

Just to clarify then

1) you have "icmp permit any " in your configuration

2) Not sure what you mean by "The 2 servers are both in vlan 99 and I have now removed the IP address allocation from that vlan"

Jon

Gatling_uk Mon, 12/08/2008 - 03:28

1) that's correct, but no traffic reaches the dmz interface on the pix from the switch, it is not strictly icmp traffic that is the problem.

2) Both servers are patched into vlan 99 on the switch, but that vlan no longer has an ip address. (I added the ip address this morning whilst testing but have now removed it).

Gatling_uk Mon, 12/08/2008 - 03:29

Further info:

The switch does know that the pix interface is there, it's mac address appears in the switch cam table.

Anything else just ask :)

Jon Marshall Mon, 12/08/2008 - 03:34

"Anything else just ask :)"

Well since you asked :-)

Can you post output of

"sh vlan"

"sh run"

from the 3750

"sh run" from the pix.

When you try to ping the DMZ interface from a server what do the arp tables look like on

i) the server - is the DMZ mac-address there ?

ii) the pix - is the server mac-address there ?

Jon

Gatling_uk Mon, 12/08/2008 - 03:45

#sh run

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname switch2

!

enable secret 5 $1$rMLz$axMm2ss8kb3bnq001Ok3f1

!

no aaa new-model

switch 1 provision ws-c3750g-48ts

system mtu routing 1500

vtp mode transparent

ip subnet-zero

!

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

!

vlan access-map 99 10

action forward

vlan internal allocation policy ascending

!

vlan 5

name vMotion

!

vlan 29

name Colo Network

!

vlan 77

name Management

!

vlan 99

name DMZ

!

!

interface GigabitEthernet1/0/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/2

!

interface GigabitEthernet1/0/3

!

interface GigabitEthernet1/0/4

!

interface GigabitEthernet1/0/5

!

interface GigabitEthernet1/0/6

!

interface GigabitEthernet1/0/7

!

interface GigabitEthernet1/0/8

!

interface GigabitEthernet1/0/9

!

interface GigabitEthernet1/0/10

!

interface GigabitEthernet1/0/11

!

interface GigabitEthernet1/0/12

!

interface GigabitEthernet1/0/13

!

interface GigabitEthernet1/0/14

!

interface GigabitEthernet1/0/15

!

interface GigabitEthernet1/0/16

!

interface GigabitEthernet1/0/17

switchport access vlan 77

switchport mode access

!

interface GigabitEthernet1/0/18

switchport access vlan 77

!

interface GigabitEthernet1/0/19

switchport access vlan 77

!

interface GigabitEthernet1/0/20

switchport access vlan 77

!

interface GigabitEthernet1/0/21

switchport access vlan 77

!

interface GigabitEthernet1/0/22

switchport access vlan 77

!

interface GigabitEthernet1/0/23

switchport access vlan 77

!

interface GigabitEthernet1/0/24

switchport access vlan 77

!

interface GigabitEthernet1/0/25

switchport access vlan 77

!

interface GigabitEthernet1/0/26

switchport access vlan 77

!

interface GigabitEthernet1/0/27

switchport access vlan 77

!

interface GigabitEthernet1/0/28

switchport access vlan 5

!

interface GigabitEthernet1/0/29

switchport access vlan 5

!

interface GigabitEthernet1/0/30

switchport access vlan 5

!

interface GigabitEthernet1/0/31

switchport access vlan 5

!

interface GigabitEthernet1/0/32

switchport access vlan 5

!

interface GigabitEthernet1/0/33

!

interface GigabitEthernet1/0/34

!

interface GigabitEthernet1/0/35

!

interface GigabitEthernet1/0/36

!

interface GigabitEthernet1/0/37

!

interface GigabitEthernet1/0/38

!

interface GigabitEthernet1/0/39

switchport access vlan 29

!

interface GigabitEthernet1/0/40

switchport access vlan 29

!

interface GigabitEthernet1/0/41

switchport access vlan 29

!

interface GigabitEthernet1/0/42

!

interface GigabitEthernet1/0/43

switchport access vlan 99

!

interface GigabitEthernet1/0/44

switchport access vlan 99

!

interface GigabitEthernet1/0/45

switchport access vlan 99

!

interface GigabitEthernet1/0/46

switchport access vlan 99

!

interface GigabitEthernet1/0/47

!

interface GigabitEthernet1/0/48

!

interface GigabitEthernet1/0/49

!

interface GigabitEthernet1/0/50

!

interface GigabitEthernet1/0/51

!

interface GigabitEthernet1/0/52

!

interface Vlan1

ip address 10.10.1.250 255.255.255.0

!

interface Vlan5

no ip address

!

interface Vlan77

no ip address

!

interface Vlan99

no ip address

!

ip default-gateway 10.10.1.1

ip classless

no ip http server

!

!

!

control-plane

!

Gatling_uk Mon, 12/08/2008 - 03:46

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Gi1/0/2, Gi1/0/3, Gi1/0/4

Gi1/0/5, Gi1/0/6, Gi1/0/7

Gi1/0/8, Gi1/0/9, Gi1/0/10

Gi1/0/11, Gi1/0/12, Gi1/0/13

Gi1/0/14, Gi1/0/15, Gi1/0/16

Gi1/0/33, Gi1/0/34, Gi1/0/35

Gi1/0/36, Gi1/0/37, Gi1/0/38

Gi1/0/42, Gi1/0/47, Gi1/0/48

Gi1/0/49, Gi1/0/50, Gi1/0/51

Gi1/0/52

5 vMotion active Gi1/0/28, Gi1/0/29, Gi1/0/30

Gi1/0/31, Gi1/0/32

29 Colo Network active Gi1/0/39, Gi1/0/40, Gi1/0/41

77 Management active Gi1/0/17, Gi1/0/18, Gi1/0/19

Gi1/0/20, Gi1/0/21, Gi1/0/22

Gi1/0/23, Gi1/0/24, Gi1/0/25

Gi1/0/26, Gi1/0/27

99 DMZ active Gi1/0/43, Gi1/0/44, Gi1/0/45

Gi1/0/46

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

Jon Marshall Mon, 12/08/2008 - 03:51

Christopher

Your'e original post said that the DMZ interface was connected into the 3750 on interface 1/0/15. Have you changed this to be one of the 43/44/45 interfaces ?

Also can you remove the vlan access map config from your 3750 for vlan 99.

Jon

Gatling_uk Mon, 12/08/2008 - 03:56

Sorry yes, it is now the 43 interface.

I have removed the vlan access-map.

Gatling_uk Mon, 12/08/2008 - 03:51

Modified pix output:

hostname

domain-name

names

dns-guard

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.10.1.1 255.255.255.0 standby 10.10.1.2

!

interface GigabitEthernet0/2

nameif dmz

security-level 90

ip address 10.10.2.1 255.255.255.0 standby 10.10.2.2

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

nameif management

security-level 100

ip address

management-only

!

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns server-group DefaultDNS

access-list acl_dmz extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

failover

failover lan unit secondary

failover lan interface state GigabitEthernet0/3

failover key *****

failover link state GigabitEthernet0/3

failover interface ip state 172.17.1.1 255.255.255.252 standby 172.17.1.2

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list nonat

access-group acl_outside in interface outside

access-group acl_dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 172.29.1.253 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

sysopt noproxyarp outside

sysopt noproxyarp inside

sysopt noproxyarp dmz

sysopt noproxyarp management

service resetoutside

prompt hostname context

: end

Jon Marshall Mon, 12/08/2008 - 04:04

Christopher

Can you add to your config

"icmp permit any dmz"

You have an access-list on your pix for the dmz interface called acl_dmz but the access-list only controls traffic that goes THROUGH the pix not traffic with a destination address of the pix interface. To control icmp for that traffic you use the above command.

Jon

Gatling_uk Mon, 12/08/2008 - 04:10

Thanks, have added that. Unfortunately the problem remains though..

Jon Marshall Mon, 12/08/2008 - 04:20

Okay this is bit of a stubborn one. To recap

1) You have now got "icmp permit any dmz" on your pix

2) Your servers have got 10.10.2.1 as their default-gateway.

3) The servers ip address is taken from the 10.10.2.x subnet and the subnet mask on the servers is 255.255.255.0

4) The server you are testing from and the pix dmz interface are connected into one of the gi1/043 - 46 interfaces on the 3750g.

If all of the above

1) Ping the pix interface from a server and then check the arp caches on both the server and the pix. Do you see the mac-addresses in there ?

2) Have you tried to ping something on the inside of the pix from a server in the DMZ and vice-versa.

Other than that we may need to look at packet capture.

You said earlier in one of your replies

"1) that's correct, but no traffic reaches the dmz interface on the pix from the switch, it is not strictly icmp traffic that is the problem."

How have you verfied that no traffic is reaching the DMZ interface.

Finally can you confirm that the DMZ interface is up/up.

Jon

Gatling_uk Mon, 12/08/2008 - 04:56

All of the first 4 points are correct.

The mac addresses do not appear in the arp cache on either of the servers or the firewall.

I cannot ping anything on the inside interface of the pix.

I have verified nothing is reaching the pix by the observing the input/output counters as I send data.

DMZ interface is up/up.

Jon Marshall Mon, 12/08/2008 - 05:02

Christopher

Can you try pinging the server from the pix ?

Can you post output of

"ipconfig /all" from the server you are using to test.

Can you post a "sh ip int brief" from the 3750 ?

Sorry to ask for all this info but it is needed.

Jon

Gatling_uk Mon, 12/08/2008 - 05:14

I can't ping the server from the pix.

I can ping one server from another in the dmz, which goes through the 3750, but I can't ping the 3750 from the servers, on either the vlan 1 ip address, or the vlan 99 ip address (i have given vlan 99 an ip address in the 10.10.2.x range again). I can't ping the servers from the switch either.

IPconfig/all on server 1 reads:

ip address: 10.10.2.100

subnet mask: 255.255.255.0

default gateway: 10.10.2.1

primary dns: 10.10.1.50

secondary dns: 10.10.1.51

I can ping server 2 on address 10.10.2.101

Gatling_uk Mon, 12/08/2008 - 05:48

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname switch2

!

enable secret 5 $1$rMLz$axMm2ss8kb3k3f1

!

no aaa new-model

switch 1 provision ws-c3750g-48ts

system mtu routing 1500

vtp mode transparent

ip subnet-zero

!

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

!

vlan internal allocation policy ascending

!

vlan 5

name vMotion

!

vlan 29

name Colo Network

!

vlan 77

name Management

!

vlan 99

name DMZ

!

!

interface GigabitEthernet1/0/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/2

!

interface GigabitEthernet1/0/3

!

interface GigabitEthernet1/0/4

!

interface GigabitEthernet1/0/5

!

interface GigabitEthernet1/0/6

!

interface GigabitEthernet1/0/7

!

interface GigabitEthernet1/0/8

!

interface GigabitEthernet1/0/9

!

interface GigabitEthernet1/0/10

!

interface GigabitEthernet1/0/11

!

interface GigabitEthernet1/0/12

!

interface GigabitEthernet1/0/13

!

interface GigabitEthernet1/0/14

!

interface GigabitEthernet1/0/15

!

interface GigabitEthernet1/0/16

!

interface GigabitEthernet1/0/17

switchport access vlan 77

switchport mode access

!

interface GigabitEthernet1/0/18

switchport access vlan 77

!

interface GigabitEthernet1/0/19

switchport access vlan 77

!

interface GigabitEthernet1/0/20

switchport access vlan 77

!

interface GigabitEthernet1/0/21

switchport access vlan 77

!

interface GigabitEthernet1/0/22

switchport access vlan 77

!

interface GigabitEthernet1/0/23

switchport access vlan 77

!

interface GigabitEthernet1/0/24

switchport access vlan 77

!

interface GigabitEthernet1/0/25

switchport access vlan 77

!

interface GigabitEthernet1/0/26

switchport access vlan 77

!

interface GigabitEthernet1/0/27

switchport access vlan 77

!

interface GigabitEthernet1/0/28

switchport access vlan 5

!

interface GigabitEthernet1/0/29

switchport access vlan 5

!

interface GigabitEthernet1/0/30

switchport access vlan 5

!

interface GigabitEthernet1/0/31

switchport access vlan 5

!

interface GigabitEthernet1/0/32

switchport access vlan 5

!

interface GigabitEthernet1/0/33

!

interface GigabitEthernet1/0/34

!

interface GigabitEthernet1/0/35

!

interface GigabitEthernet1/0/36

!

interface GigabitEthernet1/0/37

!

interface GigabitEthernet1/0/38

!

interface GigabitEthernet1/0/39

switchport access vlan 29

!

interface GigabitEthernet1/0/40

switchport access vlan 29

!

interface GigabitEthernet1/0/41

switchport access vlan 29

!

interface GigabitEthernet1/0/42

!

interface GigabitEthernet1/0/43

switchport access vlan 99

!

interface GigabitEthernet1/0/44

switchport access vlan 99

!

interface GigabitEthernet1/0/45

switchport access vlan 99

!

interface GigabitEthernet1/0/46

switchport access vlan 99

!

interface GigabitEthernet1/0/47

!

interface GigabitEthernet1/0/48

!

interface GigabitEthernet1/0/49

!

interface GigabitEthernet1/0/50

!

interface GigabitEthernet1/0/51

!

interface GigabitEthernet1/0/52

!

interface Vlan1

ip address 10.10.1.250 255.255.255.0

!

interface Vlan5

no ip address

!

interface Vlan77

no ip address

!

interface Vlan99

ip address 10.10.2.250 255.255.255.0

!

ip default-gateway 10.10.1.1

ip classless

no ip http server

!

!

!

control-plane

!

!

line con 0

password 7 121E551510075F

login

line vty 0 4

password 7 045C5B040D2D1F

login

line vty 5 15

login

!

end

Jon Marshall Mon, 12/08/2008 - 05:53

Just to rule out a switch issue can you

1) remove "ip default-gateway 10.10.1.1"

2) add "ip route 0.0.0.0 0.0.0.0 10.10.1.1

3) enable ip routing on the 3750 eg "ip routing" and then retest ping from server in vlan 99 to vlan 99 interface on switch.

Jon

Gatling_uk Mon, 12/08/2008 - 06:25

I have done all of the above.

I can now ping the switch from the servers, and the servers from the switch, but I still cannot ping the dmz interface from either the switch or the servers, or vice versa.

I also still cannot ping hosts on the internal network from the dmz servers.

Thanks

Jon Marshall Mon, 12/08/2008 - 06:36

If you want to try and ping inside servers from DMZ

1) add this to pix config "static (inside,dmz) 10.10.1.0 10.10.1.0 netmask 255.255.255.0

2) Shutdown the vlan 99 interface on your switch.

Jon

Gatling_uk Mon, 12/08/2008 - 07:11

I unfortunately cannot do that right now.

I have just noticed one other thing though..

When I add the port on the 3750 that the pix dmz interface patches into to the dmz vlan it drops the entry from the cam table, but it still has an entry for the mac address associated with another port that connects to a management switch.

To clarify, port 43 on the switch is added to vlan 99 and instantly it loses that association in the cam table. There is another entry in the cam table to the dmz int mac-address via int 17 on the switch which connects to a management network.

Jon Marshall Mon, 12/08/2008 - 07:24

Okay, that's not right. Are you sure the cables are connected in correctly. It may be time to go back to basics. What happens if you allocate int 17 to vlan 99 ?

Jon

Gatling_uk Mon, 12/08/2008 - 05:15

switch2#sh ip int b

Interface IP-Address OK? Method Status Protocol

Vlan1 10.10.1.250 YES NVRAM up up

Vlan5 unassigned YES NVRAM up up

Vlan77 unassigned YES NVRAM up up

Vlan99 10.10.2.250 YES manual up up

GigabitEthernet1/0/1 unassigned YES unset up up

GigabitEthernet1/0/2 unassigned YES unset up up

GigabitEthernet1/0/3 unassigned YES unset up up

<>

GigabitEthernet1/0/15 unassigned YES unset up up

GigabitEthernet1/0/16 unassigned YES unset up up

GigabitEthernet1/0/17 unassigned YES unset up up

GigabitEthernet1/0/18 unassigned YES unset up up

GigabitEthernet1/0/19 unassigned YES unset up up

GigabitEthernet1/0/20 unassigned YES unset up up

GigabitEthernet1/0/21 unassigned YES unset up up

GigabitEthernet1/0/22 unassigned YES unset up up

GigabitEthernet1/0/23 unassigned YES unset up up

GigabitEthernet1/0/24 unassigned YES unset up up

GigabitEthernet1/0/25 unassigned YES unset up up

GigabitEthernet1/0/26 unassigned YES unset up up

GigabitEthernet1/0/27 unassigned YES unset up up

GigabitEthernet1/0/28 unassigned YES unset up up

GigabitEthernet1/0/29 unassigned YES unset up up

GigabitEthernet1/0/30 unassigned YES unset up up

GigabitEthernet1/0/31 unassigned YES unset up up

GigabitEthernet1/0/32 unassigned YES unset up up

GigabitEthernet1/0/33 unassigned YES unset up up

GigabitEthernet1/0/34 unassigned YES unset up up

GigabitEthernet1/0/35 unassigned YES unset up up

GigabitEthernet1/0/36 unassigned YES unset down down

GigabitEthernet1/0/37 unassigned YES unset down down

GigabitEthernet1/0/38 unassigned YES unset down down

GigabitEthernet1/0/39 unassigned YES unset up up

GigabitEthernet1/0/40 unassigned YES unset up up

GigabitEthernet1/0/41 unassigned YES unset up up

GigabitEthernet1/0/42 unassigned YES unset down down

GigabitEthernet1/0/43 unassigned YES unset up up

GigabitEthernet1/0/44 unassigned YES unset up up

GigabitEthernet1/0/45 unassigned YES unset up up

GigabitEthernet1/0/46 unassigned YES unset up up

GigabitEthernet1/0/47 unassigned YES unset down down

GigabitEthernet1/0/48 unassigned YES unset down down

GigabitEthernet1/0/49 unassigned YES unset down down

GigabitEthernet1/0/50 unassigned YES unset down down

GigabitEthernet1/0/51 unassigned YES unset down down

GigabitEthernet1/0/52 unassigned YES unset down down

Gatling_uk Mon, 12/08/2008 - 05:52

One other thing..

The pix knows that the 10.10.2.0 network is directly connected to it out of it's dmz interface, but I can't ping 10.10.2.250 (dmz vlan ip address on the switch) from the pix.

Actions

This Discussion