cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1231
Views
0
Helpful
5
Replies

packet loss for hosts in DMZ from inside

lv.brahmam
Level 1
Level 1

Dear Friends,

I have configured pix 515 E with below ips

ip address outside x.x.x.x 255.255.255.192

ip address inside 192.168.68.21 255.255.255.0

ip address dmz 172.16.31.1 255.255.0.0

ip address dmz2 192.168.90.0 255.255.255.0

ip address dmz3 192.168.59.21 255.255.255.0

ip address state 10.0.0.1 255.255.255.248

database servers resides in dmz, if iam trying to access them from inside iam getting request timed outs frequently. Kindly let me know how to fix.

Thanks

Brahmam

5 Replies 5

a.kiprawih
Level 7
Level 7

Can you share the config, especially the static/nat/global/ACL portion? The problem can be anything, i.e misconfiguration.

AK

Thanks for your kind reply, find attachment for configuration of my pix and let me know if any misconfigurations... pls

For your config, I assumed the following databases are the the one you mentioned (failed) and need to be accessed from inside segment:

name 172.16.31.12 EGL_Database ------> group under GlobalDatabse in DMZ

name 172.16.31.10 Black_Database ----> group under GlobalDatabse in DMZ

Add "static (inside,dmz) 192.168.68.0 192.168.68.0 netmask 255.255.255.0" before the access-list of "access-list acl_in permit tcp any object-group GlobalDatabse eq sqlnet log" take effect.

Let me know the outcome.

HTH

AK

Hi

Thanks, i hope its already there in config

kindly check below

static (inside,dmz) FS_Technology FS_Technology dns netmask 255.255.255.0 0 0

name 192.168.68.0 FS_Technology

Iam not sure why our people used dns at static command.

Rgds

Brahmam.

I think you do not need 'dns' there.

DNS is needed only if the A record or address record need to be rewritten in the DNS replies that match the static command.

For DNS replies traversing from a mapped interface to a real interface, the A record is rewritten from the mapped value to the real value. Inversely, for DNS replies traversing from a real interface to a mapped interface, the A record is rewritten from the real value to the mapped value.

To make your troubleshooting clean (no issues with name, etc), using address instead of name. Also, test the acl with one server at a time. See if the access from inside to dmz works. Test if both side is reachable va ping/icmp. Check the acl hitcount as well (use sh 'access-list acl-in' command).

access-list acl_in permit icmp any any --> allow ping for testing purposes only, remove later.

access-list acl_in permit tcp any host 172.16.31.10 eq sqlnet log

static (inside,dmz) 192.168.68.0 192.168.68.0 netmask 255.255.255.0

Make sure you remove the following temporarily during testing:

name 172.16.31.12 EGL_Database

name 172.16.31.10 Black_Database

access-list acl_in permit tcp any object-group GlobalDatabse eq sqlnet log

See the outcome.

HTH

AK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: