12-02-2006 10:47 PM - edited 03-11-2019 02:03 AM
Dear Friends,
I have configured pix 515 E with below ips
ip address outside x.x.x.x 255.255.255.192
ip address inside 192.168.68.21 255.255.255.0
ip address dmz 172.16.31.1 255.255.0.0
ip address dmz2 192.168.90.0 255.255.255.0
ip address dmz3 192.168.59.21 255.255.255.0
ip address state 10.0.0.1 255.255.255.248
database servers resides in dmz, if iam trying to access them from inside iam getting request timed outs frequently. Kindly let me know how to fix.
Thanks
Brahmam
12-03-2006 04:34 PM
Can you share the config, especially the static/nat/global/ACL portion? The problem can be anything, i.e misconfiguration.
AK
12-03-2006 08:13 PM
12-03-2006 10:04 PM
For your config, I assumed the following databases are the the one you mentioned (failed) and need to be accessed from inside segment:
name 172.16.31.12 EGL_Database ------> group under GlobalDatabse in DMZ
name 172.16.31.10 Black_Database ----> group under GlobalDatabse in DMZ
Add "static (inside,dmz) 192.168.68.0 192.168.68.0 netmask 255.255.255.0" before the access-list of "access-list acl_in permit tcp any object-group GlobalDatabse eq sqlnet log" take effect.
Let me know the outcome.
HTH
AK
12-03-2006 11:05 PM
Hi
Thanks, i hope its already there in config
kindly check below
static (inside,dmz) FS_Technology FS_Technology dns netmask 255.255.255.0 0 0
name 192.168.68.0 FS_Technology
Iam not sure why our people used dns at static command.
Rgds
Brahmam.
12-04-2006 12:00 AM
I think you do not need 'dns' there.
DNS is needed only if the A record or address record need to be rewritten in the DNS replies that match the static command.
For DNS replies traversing from a mapped interface to a real interface, the A record is rewritten from the mapped value to the real value. Inversely, for DNS replies traversing from a real interface to a mapped interface, the A record is rewritten from the real value to the mapped value.
To make your troubleshooting clean (no issues with name, etc), using address instead of name. Also, test the acl with one server at a time. See if the access from inside to dmz works. Test if both side is reachable va ping/icmp. Check the acl hitcount as well (use sh 'access-list acl-in' command).
access-list acl_in permit icmp any any --> allow ping for testing purposes only, remove later.
access-list acl_in permit tcp any host 172.16.31.10 eq sqlnet log
static (inside,dmz) 192.168.68.0 192.168.68.0 netmask 255.255.255.0
Make sure you remove the following temporarily during testing:
name 172.16.31.12 EGL_Database
name 172.16.31.10 Black_Database
access-list acl_in permit tcp any object-group GlobalDatabse eq sqlnet log
See the outcome.
HTH
AK
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: