cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
361
Views
0
Helpful
5
Replies

PIX Firewall Problem

wasiimcisco
Level 1
Level 1

I am again having strange problem. I have two servers in dmz. I want one server to go to internet and also communicate with one of the server located on outside with local ip address 172.28.92.72

My ASDM is showing me packet tracer successfuly without any problem. But when i try to ping from server on dmz to server located on outside i got the following error

Destination net unreachable.

Destination net unreachable.

Destination net unreachable.

Destination net unreachable.

I configured the same setting as for the server 2 with ip addresss 172.28.92.68.

But i want 172.28.92.72 to have static for internet but to communicate with outside server use same ip 172.28.92.72

access-list outside_acl extended permit ip host x.74.112.153 host 172.28.92.72

access-list nonat extended permit ip host 172.28.92.72 host x.74.112.153

static (edn,outside) x.223.188.39 172.28.92.72 netmask 255.255.255.255

telnet 172.28.92.72 255.255.255.255 edn

TDC-INT-525-01# sh run | in 172.28.92.68

access-list outside_acl extended permit ip x.223.188.0 255.255.255.0 host 172.28.92.68

access-list outside_acl extended permit ip host x.74.112.153 host 172.28.92.68

access-list nonat extended permit ip host 172.28.92.68 x.223.188.0 255.255.255.0

access-list nonat extended permit ip host 172.28.92.68 host x.74.112.153

nat (inside) 0 access-list nonat

nat (edn) 0 access-list nonat

please help me out

5 Replies 5

Have you checked whether the server on the outside knows how to route traffic back to 172.28.92.72? If it does can you look at the packet trace on the outside interface to see if you see response from the Server on the outside coming in?

yes outside server has the route towards it. I am also getting hitcount on my outside firewall access-list.

see the snapshot of pkt tracer from outside interface to dmz. it is successful.

Interesting. Have you tried removing the static and check whether that made any difference. If not can you do a sniffer capture on the DMZ?

if i removed the static it works as it is working with 172.28.92.68. But my requirement is to use static to use Internet.

right now i have removed teh nonat for 172.28.92.72 and using only static for Internet and outside server is accessing it via static ip addresses.

but dont know what is wrong with the static and nonat.

packet tracer is showing full success but when try to trace and ping

destination network unreachable.

Only nonat is working or either static is working not both at the same time.

Glad it works!!

Can you do the static at port level for Internet access and that may be a workaround for you to get both working.

Moreover, can you use a different name for no-nat access list and that should be different from no-nat access list name for the inside interface. It really shouldn't matter but with all the caveats it's worth a try.

HTH

Sundar

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: