Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

packet loss for hosts in DMZ from inside

Dear Friends,

I have configured pix 515 E with below ips

ip address outside x.x.x.x 255.255.255.192

ip address inside 192.168.68.21 255.255.255.0

ip address dmz 172.16.31.1 255.255.0.0

ip address dmz2 192.168.90.0 255.255.255.0

ip address dmz3 192.168.59.21 255.255.255.0

ip address state 10.0.0.1 255.255.255.248

database servers resides in dmz, if iam trying to access them from inside iam getting request timed outs frequently. Kindly let me know how to fix.

Thanks

Brahmam

5 REPLIES

Re: packet loss for hosts in DMZ from inside

Can you share the config, especially the static/nat/global/ACL portion? The problem can be anything, i.e misconfiguration.

AK

Community Member

Re: packet loss for hosts in DMZ from inside

Thanks for your kind reply, find attachment for configuration of my pix and let me know if any misconfigurations... pls

Re: packet loss for hosts in DMZ from inside

For your config, I assumed the following databases are the the one you mentioned (failed) and need to be accessed from inside segment:

name 172.16.31.12 EGL_Database ------> group under GlobalDatabse in DMZ

name 172.16.31.10 Black_Database ----> group under GlobalDatabse in DMZ

Add "static (inside,dmz) 192.168.68.0 192.168.68.0 netmask 255.255.255.0" before the access-list of "access-list acl_in permit tcp any object-group GlobalDatabse eq sqlnet log" take effect.

Let me know the outcome.

HTH

AK

Community Member

Re: packet loss for hosts in DMZ from inside

Hi

Thanks, i hope its already there in config

kindly check below

static (inside,dmz) FS_Technology FS_Technology dns netmask 255.255.255.0 0 0

name 192.168.68.0 FS_Technology

Iam not sure why our people used dns at static command.

Rgds

Brahmam.

Re: packet loss for hosts in DMZ from inside

I think you do not need 'dns' there.

DNS is needed only if the A record or address record need to be rewritten in the DNS replies that match the static command.

For DNS replies traversing from a mapped interface to a real interface, the A record is rewritten from the mapped value to the real value. Inversely, for DNS replies traversing from a real interface to a mapped interface, the A record is rewritten from the real value to the mapped value.

To make your troubleshooting clean (no issues with name, etc), using address instead of name. Also, test the acl with one server at a time. See if the access from inside to dmz works. Test if both side is reachable va ping/icmp. Check the acl hitcount as well (use sh 'access-list acl-in' command).

access-list acl_in permit icmp any any --> allow ping for testing purposes only, remove later.

access-list acl_in permit tcp any host 172.16.31.10 eq sqlnet log

static (inside,dmz) 192.168.68.0 192.168.68.0 netmask 255.255.255.0

Make sure you remove the following temporarily during testing:

name 172.16.31.12 EGL_Database

name 172.16.31.10 Black_Database

access-list acl_in permit tcp any object-group GlobalDatabse eq sqlnet log

See the outcome.

HTH

AK

252
Views
0
Helpful
5
Replies
CreatePlease to create content