01-15-2007 02:04 PM - edited 03-11-2019 02:19 AM
Added 4 port ethernet on a Pix 515e, ver: 6.3
So I have the following:
ip address outside 63.209.xxx.xx 255.255.255.192
ip address inside 172.16.x.x 255.255.255.0
ip address dmz 192.168.121.4 255.255.255.0
From a web server on the dmz interface I'm unable to ping inside hosts. Although from inside I can ping the dmz web server. Show icmp:
icmp permit any outside
icmp permit any inside
icmp permit any echo dmz
What am I missing. Thanks.
01-15-2007 02:12 PM
To go from a lower security interface to a higher one, you need NAT translations. For example
static (inside,dmz) 172.16.x.x 172.16.x.x netmask 255.255.255.0
You will also need an ACL.
access-list dmz_access permit icmp any any
access-group dmz_access in interface dmz
This example is NOT secure-- only allow access to what is needed.
HTH and please rate.
01-16-2007 08:54 AM
Here's what I have in place:
static (inside,dmz) 172.0.0.0 172.0.0.0 netmask 255.255.255.0 0 0
access-group dmz_access_in in interface dmz
access-list dmz_access_in line 1 permit icmp any any (hitcnt=845)
access-list dmz_access_in line 2 permit tcp host 192.168.121.34 host 172.16.x.x eq 1433 (hitcnt=0)
Goal is to be able to communicate with a sql server on the inside.
01-16-2007 08:57 AM
Did you want to put 172.0.0.0/24 in your static (inside,dmz)?
Do you have a 172.0.0.0/24 network inside?
If not, it should be
static (inside,dmz) 172.0.0.0 172.0.0.0 netmask 255.0.0.0
or
static (inside,dmz) 172.16.x.0 172.16.x.0 netmask 255.255.255.0
01-16-2007 11:19 AM
Yes I have a 172.0.0.0/24 on the inside interface.
My issue is unable to communicate with the inside from the dmz web server. With what I posted above how would I proceed? thanks.
01-16-2007 12:26 PM
But the host on the inside you want to hit on 1433 is not part of 172.0.0.0/24.
You need to add another static (inside,dmz) for the 172.16.x.0 network.
01-24-2007 01:22 PM
I have:
static (inside,dmz) tcp interface 1433 172.16.3.3 1433 netmask 255.255.255.255 0 0
Still having a problem connecting to a sql server on the inside.
01-24-2007 01:45 PM
Have you tried the suggested above? I don't think you want what you just posted.
If you can watch the logs you are probably getting "No translation group found". If 172.16.3.3 is you sql server, then add
static (inside,dmz) 172.16.3.3 172.16.3.3 netmask 255.255.255.255
Post a sanitized config if you can.
01-25-2007 10:52 AM
01-25-2007 11:39 AM
Try this.
http://www.cisco.com/warp/public/110/mailserver.html
Pay close attention to the following line
static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0
You will need one except yours would be
static (inside,dmz) 172.16.3.0 172.16.3.0 netmask 255.255.255.0 0 0
This will allow anything on 172.16.3.0/24 network to communicate with dmz server and vice versa.
I also don't know what this line is supposed to do static (inside,dmz) tcp interface 1433 172.16.3.3 1433 netmask 255.255.255.255 0 0.
You may have to "clear xlate" after the command is added. Just be aware of that. Also make sure your sql is running on 1433.
Someone correct me if I'm wrong here.
02-20-2007 11:38 AM
I removed:
static (inside,dmz) 172.16.3.3 172.16.3.3 netmask 255.255.255.0 0 0
Added:
static (inside,dmz) 172.16.3.0 172.16.3.0 netmask 255.255.255.0 0 0
Right now would be happy just to ping from inside to dmz. Have the acl:
access-list dmz_access permit icmp any any
02-20-2007 11:53 AM
As long as you are coming from inside 172.16.3.x you should be fine. Did you apply that acl with access-group dmz_access in interface dmz?
02-20-2007 11:57 AM
Yes, coming from 172.16.3.x and have the acl:
access-group dmz_access in interface dmz
02-20-2007 12:04 PM
Did you get rid of this line
static (inside,dmz) tcp interface 1433 172.16.3.3 1433 netmask 255.255.255.255
Might as well post current config and start logging.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide