PIX DMZ traceroute problem

Unanswered Question
Mar 22nd, 2009
User Badges:

PIX config:

hostname ASA5520

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 202.101.2.X 255.255.255.248

!

interface GigabitEthernet0/1

nameif dmz

security-level 50

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet0/2

nameif inside

security-level 100

ip address 172.10.1.1 255.255.255.0

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_server extended permit tcp any host 202.101.2.Y

access-list outside_access_server extended permit icmp any any

access-list dmz_access_inside extended permit ip any any

access-list dmz_access_inside extended permit icmp any any

access-list dmz_access_inside extended permit ip any any

access-list inside-accesss-dmz extended permit icmp any any

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any dmz

icmp permit any inside

global (outside) 1 interface

nat (inside) 1 172.10.1.0 255.255.255.0 tcp 400 300

static (dmz,outside) 202.101.2.Y 192.168.1.10 netmask 255.255.255.255 dns

static (inside,dmz) 172.10.1.0 172.10.1.0 netmask 255.255.255.0

access-group outside_access_server in interface outside

access-group dmz_access_inside in interface dmz

access-group inside-accesss-dmz out interface dmz

route outside 0.0.0.0 0.0.0.0 202.101.X.X

timeout xlate 8:00:00

timeout conn 24:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:00:00 absolute uauth 3:00:00 inactivity

!

!

class-map tcp_allow

match access-list acl_tcp

class-map type regex match-any testhttp

class-map down

match access-list download

class-map inspection_default

match default-inspection-traffic

!

!

policy-map down

class down

police input 2048000 512000

police output 2048000 512000

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http

policy-map tcppolicy

class tcp_allow

set connection advanced-options conform_tcp

!

service-policy global_policy global

service-policy tcppolicy interface outside


problem description:

1、inside client can traceroute to internet.

2、inside client can traceroute to DMZ server.

3、DMZ server can not traceroute to internet and inside client.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ex_pmadayag Mon, 03/23/2009 - 09:12
User Badges:

1.) DMZ to client communication:

I could only see translation for 172.10.1.0 network


static (inside,dmz) 172.10.1.0 172.10.1.0 netmask 255.255.255.0


You also need to have translation for the 192.168.1.x network. Then do a clear xlate.


2.) DMZ server to Internet


Can the DMZ server reach the gateway? Defined in this line?


route outside 0.0.0.0 0.0.0.0 202.101.X.X


If you enable debugs what do you see?




Actions

This Discussion