packet loss for hosts in DMZ from inside

Unanswered Question
Dec 2nd, 2006
User Badges:

Dear Friends,


I have configured pix 515 E with below ips


ip address outside x.x.x.x 255.255.255.192

ip address inside 192.168.68.21 255.255.255.0

ip address dmz 172.16.31.1 255.255.0.0

ip address dmz2 192.168.90.0 255.255.255.0

ip address dmz3 192.168.59.21 255.255.255.0

ip address state 10.0.0.1 255.255.255.248


database servers resides in dmz, if iam trying to access them from inside iam getting request timed outs frequently. Kindly let me know how to fix.


Thanks

Brahmam


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a.kiprawih Sun, 12/03/2006 - 16:34
User Badges:
  • Gold, 750 points or more

Can you share the config, especially the static/nat/global/ACL portion? The problem can be anything, i.e misconfiguration.


AK

lv.brahmam Sun, 12/03/2006 - 20:13
User Badges:

Thanks for your kind reply, find attachment for configuration of my pix and let me know if any misconfigurations... pls



Attachment: 
a.kiprawih Sun, 12/03/2006 - 22:04
User Badges:
  • Gold, 750 points or more

For your config, I assumed the following databases are the the one you mentioned (failed) and need to be accessed from inside segment:


name 172.16.31.12 EGL_Database ------> group under GlobalDatabse in DMZ

name 172.16.31.10 Black_Database ----> group under GlobalDatabse in DMZ


Add "static (inside,dmz) 192.168.68.0 192.168.68.0 netmask 255.255.255.0" before the access-list of "access-list acl_in permit tcp any object-group GlobalDatabse eq sqlnet log" take effect.


Let me know the outcome.


HTH

AK

lv.brahmam Sun, 12/03/2006 - 23:05
User Badges:

Hi

Thanks, i hope its already there in config


kindly check below

static (inside,dmz) FS_Technology FS_Technology dns netmask 255.255.255.0 0 0

name 192.168.68.0 FS_Technology


Iam not sure why our people used dns at static command.


Rgds

Brahmam.

a.kiprawih Mon, 12/04/2006 - 00:00
User Badges:
  • Gold, 750 points or more

I think you do not need 'dns' there.


DNS is needed only if the A record or address record need to be rewritten in the DNS replies that match the static command.


For DNS replies traversing from a mapped interface to a real interface, the A record is rewritten from the mapped value to the real value. Inversely, for DNS replies traversing from a real interface to a mapped interface, the A record is rewritten from the real value to the mapped value.


To make your troubleshooting clean (no issues with name, etc), using address instead of name. Also, test the acl with one server at a time. See if the access from inside to dmz works. Test if both side is reachable va ping/icmp. Check the acl hitcount as well (use sh 'access-list acl-in' command).


access-list acl_in permit icmp any any --> allow ping for testing purposes only, remove later.

access-list acl_in permit tcp any host 172.16.31.10 eq sqlnet log


static (inside,dmz) 192.168.68.0 192.168.68.0 netmask 255.255.255.0


Make sure you remove the following temporarily during testing:


name 172.16.31.12 EGL_Database

name 172.16.31.10 Black_Database

access-list acl_in permit tcp any object-group GlobalDatabse eq sqlnet log


See the outcome.


HTH

AK

Actions

This Discussion