Thanks for the quick reply.

Pix version 7.2

ICMP permit any any inbound on the pix dmz interface (just for testing).

Subnet masks are all consistent.

Only 1 NIC per server, patched directly into the switch.

Sorry, the dmz interface on the pix is unallocated , it is in the default vlan. The 2 servers are both in vlan 99 and I have now removed the IP address allocation from that vlan. Was just tinkering with it earlier.

Thanks again.

Christopher

Just to clarify then

1) you have "icmp permit any " in your configuration

2) Not sure what you mean by "The 2 servers are both in vlan 99 and I have now removed the IP address allocation from that vlan"

Jon

1) that's correct, but no traffic reaches the dmz interface on the pix from the switch, it is not strictly icmp traffic that is the problem.

2) Both servers are patched into vlan 99 on the switch, but that vlan no longer has an ip address. (I added the ip address this morning whilst testing but have now removed it).

Further info:

The switch does know that the pix interface is there, it's mac address appears in the switch cam table.

Anything else just ask :)

"Anything else just ask :)"

Well since you asked :-)

Can you post output of

"sh vlan"

"sh run"

from the 3750

"sh run" from the pix.

When you try to ping the DMZ interface from a server what do the arp tables look like on

i) the server - is the DMZ mac-address there ?

ii) the pix - is the server mac-address there ?

Jon

#sh run

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname switch2

!

enable secret 5 $1$rMLz$axMm2ss8kb3bnq001Ok3f1

!

no aaa new-model

switch 1 provision ws-c3750g-48ts

system mtu routing 1500

vtp mode transparent

ip subnet-zero

!

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

!

vlan access-map 99 10

action forward

vlan internal allocation policy ascending

!

vlan 5

name vMotion

!

vlan 29

name Colo Network

!

vlan 77

name Management

!

vlan 99

name DMZ

!

!

interface GigabitEthernet1/0/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/2

!

interface GigabitEthernet1/0/3

!

interface GigabitEthernet1/0/4

!

interface GigabitEthernet1/0/5

!

interface GigabitEthernet1/0/6

!

interface GigabitEthernet1/0/7

!

interface GigabitEthernet1/0/8

!

interface GigabitEthernet1/0/9

!

interface GigabitEthernet1/0/10

!

interface GigabitEthernet1/0/11

!

interface GigabitEthernet1/0/12

!

interface GigabitEthernet1/0/13

!

interface GigabitEthernet1/0/14

!

interface GigabitEthernet1/0/15

!

interface GigabitEthernet1/0/16

!

interface GigabitEthernet1/0/17

switchport access vlan 77

switchport mode access

!

interface GigabitEthernet1/0/18

switchport access vlan 77

!

interface GigabitEthernet1/0/19

switchport access vlan 77

!

interface GigabitEthernet1/0/20

switchport access vlan 77

!

interface GigabitEthernet1/0/21

switchport access vlan 77

!

interface GigabitEthernet1/0/22

switchport access vlan 77

!

interface GigabitEthernet1/0/23

switchport access vlan 77

!

interface GigabitEthernet1/0/24

switchport access vlan 77

!

interface GigabitEthernet1/0/25

switchport access vlan 77

!

interface GigabitEthernet1/0/26

switchport access vlan 77

!

interface GigabitEthernet1/0/27

switchport access vlan 77

!

interface GigabitEthernet1/0/28

switchport access vlan 5

!

interface GigabitEthernet1/0/29

switchport access vlan 5

!

interface GigabitEthernet1/0/30

switchport access vlan 5

!

interface GigabitEthernet1/0/31

switchport access vlan 5

!

interface GigabitEthernet1/0/32

switchport access vlan 5

!

interface GigabitEthernet1/0/33

!

interface GigabitEthernet1/0/34

!

interface GigabitEthernet1/0/35

!

interface GigabitEthernet1/0/36

!

interface GigabitEthernet1/0/37

!

interface GigabitEthernet1/0/38

!

interface GigabitEthernet1/0/39

switchport access vlan 29

!

interface GigabitEthernet1/0/40

switchport access vlan 29

!

interface GigabitEthernet1/0/41

switchport access vlan 29

!

interface GigabitEthernet1/0/42

!

interface GigabitEthernet1/0/43

switchport access vlan 99

!

interface GigabitEthernet1/0/44

switchport access vlan 99

!

interface GigabitEthernet1/0/45

switchport access vlan 99

!

interface GigabitEthernet1/0/46

switchport access vlan 99

!

interface GigabitEthernet1/0/47

!

interface GigabitEthernet1/0/48

!

interface GigabitEthernet1/0/49

!

interface GigabitEthernet1/0/50

!

interface GigabitEthernet1/0/51

!

interface GigabitEthernet1/0/52

!

interface Vlan1

ip address 10.10.1.250 255.255.255.0

!

interface Vlan5

no ip address

!

interface Vlan77

no ip address

!

interface Vlan99

no ip address

!

ip default-gateway 10.10.1.1

ip classless

no ip http server

!

!

!

control-plane

!

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Gi1/0/2, Gi1/0/3, Gi1/0/4

Gi1/0/5, Gi1/0/6, Gi1/0/7

Gi1/0/8, Gi1/0/9, Gi1/0/10

Gi1/0/11, Gi1/0/12, Gi1/0/13

Gi1/0/14, Gi1/0/15, Gi1/0/16

Gi1/0/33, Gi1/0/34, Gi1/0/35

Gi1/0/36, Gi1/0/37, Gi1/0/38

Gi1/0/42, Gi1/0/47, Gi1/0/48

Gi1/0/49, Gi1/0/50, Gi1/0/51

Gi1/0/52

5 vMotion active Gi1/0/28, Gi1/0/29, Gi1/0/30

Gi1/0/31, Gi1/0/32

29 Colo Network active Gi1/0/39, Gi1/0/40, Gi1/0/41

77 Management active Gi1/0/17, Gi1/0/18, Gi1/0/19

Gi1/0/20, Gi1/0/21, Gi1/0/22

Gi1/0/23, Gi1/0/24, Gi1/0/25

Gi1/0/26, Gi1/0/27

99 DMZ active Gi1/0/43, Gi1/0/44, Gi1/0/45

Gi1/0/46

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

Christopher

Your'e original post said that the DMZ interface was connected into the 3750 on interface 1/0/15. Have you changed this to be one of the 43/44/45 interfaces ?

Also can you remove the vlan access map config from your 3750 for vlan 99.

Jon

Sorry yes, it is now the 43 interface.

I have removed the vlan access-map.

Modified pix output:

hostname

domain-name

names

dns-guard

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.10.1.1 255.255.255.0 standby 10.10.1.2

!

interface GigabitEthernet0/2

nameif dmz

security-level 90

ip address 10.10.2.1 255.255.255.0 standby 10.10.2.2

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

nameif management

security-level 100

ip address

management-only

!

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns server-group DefaultDNS

access-list acl_dmz extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

failover

failover lan unit secondary

failover lan interface state GigabitEthernet0/3

failover key *****

failover link state GigabitEthernet0/3

failover interface ip state 172.17.1.1 255.255.255.252 standby 172.17.1.2

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list nonat

access-group acl_outside in interface outside

access-group acl_dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 172.29.1.253 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

sysopt noproxyarp outside

sysopt noproxyarp inside

sysopt noproxyarp dmz

sysopt noproxyarp management

service resetoutside

prompt hostname context

: end

Christopher

Can you add to your config

"icmp permit any dmz"

You have an access-list on your pix for the dmz interface called acl_dmz but the access-list only controls traffic that goes THROUGH the pix not traffic with a destination address of the pix interface. To control icmp for that traffic you use the above command.

Jon

Thanks, have added that. Unfortunately the problem remains though..

Okay this is bit of a stubborn one. To recap

1) You have now got "icmp permit any dmz" on your pix

2) Your servers have got 10.10.2.1 as their default-gateway.

3) The servers ip address is taken from the 10.10.2.x subnet and the subnet mask on the servers is 255.255.255.0

4) The server you are testing from and the pix dmz interface are connected into one of the gi1/043 - 46 interfaces on the 3750g.

If all of the above

1) Ping the pix interface from a server and then check the arp caches on both the server and the pix. Do you see the mac-addresses in there ?

2) Have you tried to ping something on the inside of the pix from a server in the DMZ and vice-versa.

Other than that we may need to look at packet capture.

You said earlier in one of your replies

"1) that's correct, but no traffic reaches the dmz interface on the pix from the switch, it is not strictly icmp traffic that is the problem."

How have you verfied that no traffic is reaching the DMZ interface.

Finally can you confirm that the DMZ interface is up/up.

Jon