Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

cant ping within the DMZ

i have a DMZ with a www server and a ftp server - i cant ping between the two. if i issue a ping i get one reply then 3 failures - if i wait about three minutes i can issue the ping again get one reply the the rest fail. i can ping the switch from the servers and i can ping from the switch to the servers. i have also tried to browse from one server to the other by \\10.10.5.x\c$ and i get "no network provider accepted the given network path".

i can access the inside network and outside network no problem. i have connected the two servers via a crossover and the ping worked great.

im stumped.

thanks.

11 REPLIES
New Member

Re: cant ping within the DMZ

Hi Jerry,

I can't tell you what the problem is because I'm not seeing it but... if you ping from one server to the other, do you see the traffic going through the firewall? You shouldn't be seeing this because both servers are on the same network.

So if you are not seeing this, it means that the problem is not the firewall. If you are seeing the traffic then I would advise you to review your subnets because this should not be happening.

Please post here when you find a solution to your problem. I'm curious :).

Thanks,

Paulo

New Member

Re: cant ping within the DMZ

how can i check to see if the traffic is hitting the firewall?

New Member

Re: cant ping within the DMZ

Hi,

There are two ways. Either you check the logs or you configure a packet capture on the firewall.

To check the logs, go into ASDM, under the Monitoring tab and click on Logging. Choose Debugging just to make sure you see everything. You should be able to filter the output by IP address/string.

To configure a capture, in the CLI do:

capture interface

And then do show capture

There are more twists to this, but that should be enough for you to see if the traffic is going to the firewall.

Regards,

Paulo

New Member

Re: cant ping within the DMZ

i ran a logging buffered debug on the PIX - i am ping from 10.10.5.7 to 10.10.5.6.

Jan 17 2008 19:22:05 : %PIX-6-609001: Built local-host inside:10.10.5.6

Jan 17 2008 19:22:05 : %PIX-6-302020: Built ICMP connection for faddr 10.10.5.7/

512 gaddr 10.10.5.6/0 laddr 10.10.5.6/0

Jan 17 2008 19:22:05 : %PIX-6-110001: No route to 10.10.5.6 from 10.10.5.7

Jan 17 2008 19:22:08 : %PIX-6-302021: Teardown ICMP connection for faddr 10.10.5

.7/512 gaddr 10.10.5.6/0 laddr 10.10.5.6/0

Jan 17 2008 19:22:08 : %PIX-6-609002: Teardown local-host inside:10.10.5.6 durat

ion 0:00:02

from a debug icmp trace i get this - on the same pix. i didnt get the replys on the 10.10.5.7 server but this says i did.

ICMP echo reply (len 32 id 512 seq 22785) 10.10.5.6 > 10.10.5.7

ICMP echo reply (len 32 id 512 seq 23041) 10.10.5.6 > 10.10.5.7

ICMP echo reply (len 32 id 512 seq 23297) 10.10.5.6 > 10.10.5.7

could this be related to NAT?

New Member

Re: cant ping within the DMZ

here is a copy of the PIX running config.

New Member

Re: cant ping within the DMZ

hopefully this will help - i did a debug arp on the PIX.

arp-in: request at DMZ1 from 10.10.5.7 0006.5b3c.8901 for 10.10.5.6 0000.0000.00

00

arp-in: rqst for me from 10.10.5.7 for 10.10.5.6, on DMZ1

arp-set: added arp DMZ1 10.10.5.7 0006.5b3c.8901 and updating NPs at -772732892

arp-in: generating reply from 10.10.5.6 0005.5d18.fffb to 10.10.5.7 0006.5b3c.89

01

New Member

Re: cant ping within the DMZ

Hi Jerry,

This is definitely not a problem with the firewall. These two IP addresses are both on the same subnet so the traffic should not be going through the firewall!

Check your switch/VLAN configuration and review why the traffic is going to the firewall and not directly to the host.

HTH,

Paulo

New Member

Re: cant ping within the DMZ

i plan to do a write erase on that switch Monday night. i attached the switch config.

i just ran this on the dmz switch.

the first ping is my laptop to dmz switch - the second is one on the servers in the dmz to the switch.

NOC-DMZ1-2950# debug ip icmp

ICMP packet debugging is on

NOC-DMZ1-2950#term mon

NOC-DMZ1-2950#undebug all

000302: *May 31 00:15:38.966: ICMP: echo reply sent, src 10.10.5.5, dst 172.16.1

.64

000303: *May 31 00:15:39.966: ICMP: echo reply sent, src 10.10.5.5, dst 172.16.1

.64

000304: *May 31 00:15:40.966: ICMP: echo reply sent, src 10.10.5.5, dst 172.16.1

.64

000305: *May 31 00:15:41.966: ICMP: echo reply sent, src 10.10.5.5, dst 172.16.1

.64

All possible debugging has been turned off

NOC-DMZ1-2950#term mon

NOC-DMZ1-2950# debug ip icmp

ICMP packet debugging is on

NOC-DMZ1-2950#

000306: *May 31 00:17:28.494: ICMP: echo reply sent, src 10.10.5.5, dst 10.10.5.

7

000307: *May 31 00:17:29.494: ICMP: echo reply sent, src 10.10.5.5, dst 10.10.5.

7

000308: *May 31 00:17:30.494: ICMP: echo reply sent, src 10.10.5.5, dst 10.10.5.

7

NOC-DMZ1-2950#undebug all

All possible debugging has been turned off

NOC-DMZ1-2950#

thanks.

New Member

Re: cant ping within the DMZ

i got the two servers to ping each other by entering static arp entrys in each of the dmz servers.

does this mean the switch isnt procesing the arp request properly?

New Member

Re: cant ping within the DMZ

if i look at the arp table on one of the servers it shows all other servers have the dmz interface MAC as there MAC also.

New Member

Re: cant ping within the DMZ

i had to disable proxy arp on the DMZ interface to make it work.

PIX(config)# sysopt noproxyarp DMZ1

thanks for every ones input to help resolve this issue!!!!!!!!!

128
Views
0
Helpful
11
Replies