Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX DMZ traceroute problem

PIX config:

hostname ASA5520

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 202.101.2.X


interface GigabitEthernet0/1

nameif dmz

security-level 50

ip address


interface GigabitEthernet0/2

nameif inside

security-level 100

ip address


same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_server extended permit tcp any host 202.101.2.Y

access-list outside_access_server extended permit icmp any any

access-list dmz_access_inside extended permit ip any any

access-list dmz_access_inside extended permit icmp any any

access-list dmz_access_inside extended permit ip any any

access-list inside-accesss-dmz extended permit icmp any any

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any dmz

icmp permit any inside

global (outside) 1 interface

nat (inside) 1 tcp 400 300

static (dmz,outside) 202.101.2.Y netmask dns

static (inside,dmz) netmask

access-group outside_access_server in interface outside

access-group dmz_access_inside in interface dmz

access-group inside-accesss-dmz out interface dmz

route outside 202.101.X.X

timeout xlate 8:00:00

timeout conn 24:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:00:00 absolute uauth 3:00:00 inactivity



class-map tcp_allow

match access-list acl_tcp

class-map type regex match-any testhttp

class-map down

match access-list download

class-map inspection_default

match default-inspection-traffic



policy-map down

class down

police input 2048000 512000

police output 2048000 512000

policy-map type inspect dns migrated_dns_map_1


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http

policy-map tcppolicy

class tcp_allow

set connection advanced-options conform_tcp


service-policy global_policy global

service-policy tcppolicy interface outside

problem description:

1、inside client can traceroute to internet.

2、inside client can traceroute to DMZ server.

3、DMZ server can not traceroute to internet and inside client.

New Member

Re: PIX DMZ traceroute problem

1.) DMZ to client communication:

I could only see translation for network

static (inside,dmz) netmask

You also need to have translation for the 192.168.1.x network. Then do a clear xlate.

2.) DMZ server to Internet

Can the DMZ server reach the gateway? Defined in this line?

route outside 202.101.X.X

If you enable debugs what do you see?

CreatePlease to create content