I'm having a hard time figuring out the descripancy on a PIX firewall config I have here.
My difficult is that I have two interfaces. One is a VLAN interface named as CORE with a SecLevel of 87 and a physical interface named DMZ4 with a SecLev of 50.
I have verified the routes and they were ok and also access lists. Actually, I have permitted the hosts on both sides to see each other. Meaning PING is allowed and so are the other services on IP. There are hitcounts actually. But the result on the CORE side is "Request timed out" however on the DMZ4 segment the result is "TTL expired in transit".
I had made a debug icmp trace and the result was :
89226: ICMP echo-request from core:172.22.38.104 to 172.22.148.47 ID=768 seq=30791 length=40
89227: ICMP echo-request: translating core:172.22.38.104 to dmz4:172.22.38.104
89228: ICMP echo-request: untranslating core:172.22.148.47 to dmz4:172.22.148.47
I could not see the next line which should have been a reply from 172.22.148.47 going to the requester 172.22.38.104.
One of the segments named MANAGEMENT with a SecLev of 57 can see the host on the DMZ4 and vice versa. They could ping each other.
My problem has been resolved. There was no route on the router that is connected to the DMZ4 segment that we have here. We have just added a route on it pointing to the layer 3 switch on DMZ4 going to the CORE segment.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...