Weird firewall behavior is drive me mad

Unanswered Question
Jul 1st, 2009
User Badges:

Hi folk, I have a PIX 525 firewall which is working completely weird.

The device is running the PIX Appliance software 8.0(4) and the problem is that some hosts from the inside can reach a server in the DMZ and others can't despite the static NAT from the inside to DMZ with their own address is declared with a netmask that reach all hosts.

I have sanity check that no firewall in the server is running

2)The ACL permiting traffic from the DMZ is good

3)I installed wireshark in the server and it receive and response the packets but the host in the inside side do not receive the answer to ping that it sent.


I ran also packet-tracer and the flow of traffic tested passed smoothly.

I ran capture packet to see if some of them are droped and nothing appears.

If someone in this forums knows that this version has a bug that make the firewall works anormally please let me know. Or if you have other suggestion or if you want to see the configuration please let me know.

Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Wed, 07/01/2009 - 19:28
User Badges:
  • Cisco Employee,

Do you have inspect icmp enabled?


issue "sh run policy-map" and see if it is. If not pls. enable that.


So some inside hosts receive the ICMP response from this same DMZ server while others do not?


since you are running 8.x code you can try to do captures on the ASA and see if the packets arrive on the DMZ interface and if they are sent out of the inside interface.


cap capin int inside match icmp any host 10.10.10.1


cap capdmz int dmz match icmp any host 10.10.10.1


do a test ping from the inside host 10.10.10.1 to the dmz server and see that the captures show


sh cap capin

sh cap capdmz


you can refer this link for further capture help.


http://supportwiki.cisco.com/ViewWiki/index.php/Packet_capture



Actions

This Discussion