Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Connectivity issue PIX

Hello,

I have a PIX firewall with inside, outside, dmz1 and dmz2 interface.

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz1 security80

nameif ethernet3 dmz2 security70

I can run icmp echo request from inside to dmz1 and dmz2 well. However, I can't run icmp echo request from dmz1 to dmz2, but if I run icmp echo request from dmz2 to dmz1, later I can run icmp echo request from dmz1 to dmz2.

It seems an issue with ARP but I don't know, what can be happening?

Thanks, best regards.

6 REPLIES
Hall of Fame Super Blue

Connectivity issue PIX

It's sounds like a static NAT issue. Can you post your config ?

Jon

New Member

Connectivity issue PIX

Hello Jon,

The config is the next:

nat (inside) 0 192.168.0.0 255.255.0.0 0 0

nat (dmz1) 0 192.168.1.0 255.255.255.0 0 0

nat (dmz2) 0 192.168.2.0 255.255.255.0 0 0

static (inside,dmz2) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

static (dmz1,dmz2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

access-list dmz1 permit tcp any any

access-list dmz1 permit udp any any

access-list dmz2 permit icmp any any

access-list dmz2 permit tcp any any

access-list dmz2 permit udp any any

I don't know what's happening but I can't run icmp echo request from 192.168.2.0 to 192.168.1.0. Do I have to configure something else?

Hall of Fame Super Blue

Connectivity issue PIX

What security levels are dmz1 and dmz2 ?

Jon

New Member

Connectivity issue PIX

Hi Jon,

The security level are:

nameif ethernet1 inside security100

nameif ethernet2 dmz1 security80

nameif ethernet3 dmz2 security70

It's weird because if I run icmp echo from 192.168.1.0 to 192.168.2.0, later I can run icmp echo request from 192.168.2.0 to 192.168.1.0. It seems something of ARP.

What about this? Should do I remove this lines?

sysopt noproxyarp inside

sysopt noproxyarp dmz1

sysopt noproxyarp dmz2

Thanks a lot, best regards.

Hall of Fame Super Blue

Connectivity issue PIX

Can you try enabling proxyarp on the dmz2 interface and retest.

Before you do the above can you clear the arp table and the xlate table (assuming this is not an active production firewall with active connections).

If this doesn't work then please post the full configuration.

Jon

New Member

Hello Jon, Thank you very

Hello Jon,

 

Thank you very much, it was a static NAT issue.

 

Thanks, best regards.

131
Views
0
Helpful
6
Replies
CreatePlease to create content