Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

unable to ping router interfaces which is directly conn to firewall dmz's

Hi,

Kindly find the attached file.In this unable ping router2 to router1 F0/0 interfaces and vise versa,eventhough it is directly connected to firewall dmz's.I have checked the router routes seems to be fine.Please provide me the solution as soon.Thanks in advance

8 REPLIES
Cisco Employee

Re: unable to ping router interfaces which is directly conn to f

You need to configure STATIC for traffic to flow from one DMZ to another. Please refer the below URL for details:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

If you have already configured the statics and still its not working, can you post the STATIC configuration from the pix.

Regards,

Arul

** Please rate all helpful posts **

New Member

Re: unable to ping router interfaces which is directly conn to f

Hi Arul,

Thanks a lot for ur response.Already i have applied static also but still unable to.In my pix 535 with 6 interfaces.i wanted to extablish connectivity b/w two dmz's.have u seen the digram arul.firwall dmz'z are connectd to the routers f0.need to access one host from router2 to router 1

static (dmz11,dmz22) 172.16.0.0 172.16.0.0 netmask 255.240.0.0

New Member

Re: unable to ping router interfaces which is directly conn to f

What i understand .. We want to ping from 172.30.8.10 to 172.30.8.18 and vise versa..

Here are the steps you can try:-

* ping both routers first from the firewall itself .. if not then need to troubleshoot that first.

* defualt gateways of route should be dmz interfaces ip address

* Ping from R1 to R2

Since dmz11 security level 40 and dmz22 is at 30 .. you require nat and global static

nat (dmz11) 1 0 0

global (dmz22) 1 interface ..

allow icmp on interface and you will be able to ping ..

* Ping from R2 to R1

If you want to access or ping dmz22 to dmz11 need static statement .. traffic going for lower to higher security

static (dmmz11,dmz22) 172.30.8.10 172.30.8.10 netmask 255.255.255.255

allow icmp access-list .. you should be able to ping ..

See these step helps .. if it works for you pls rate the steps so that other can take benefit of thiss forum.

Thanks

New Member

Re: unable to ping router interfaces which is directly conn to f

hi manjesin,

Thanks for ur response too.I having some more doubts,kindly clarify..

* i can ping router f0 int from firewall int.

* Inorder to access from R2 to R1 the static nat like bellow i think so,

static (dmz11,dmz22) 172.30.8.18 172.30.8.18 netmask 255.255.255.255

static ip's should be higher interface....? Is it?

the problem is router2 is connected to one more router3.So my concern is i need to access from router3 to router1 in my above diagm.for that i have been trying to ping first both(r2, r1) the router interfaces atleast.

i will try for all ur valuable options and kindly find the attached network diagm file and provide me firewall config and router routes.....plz

New Member

Re: unable to ping router interfaces which is directly conn to f

Hi,

Kindly provide solution for the above

New Member

Re: unable to ping router interfaces which is directly conn to f

Hi,

Kindly provide solution for the above

New Member

Re: unable to ping router interfaces which is directly conn to f

Here is n/w topology

R1---------firewall------R2------R3

Yes, in static statement we will be providing the ip address of the higher network which we want to access..

example given before and need to open access-list

static (dmz11,dmz22) 172.30.8.18 172.30.8.18 netmask 255.255.255.255

access-list 101 permit ip any host 172.30.8.18

access-group 101 in interface dmz22

If your default gateway on router2 and router3 is not dmz22 interface ip address then we need to give routes on routers..

for example

ip route 172.30.8.0 255.255.255.248 172.30.8.17

We are indicating if somebody dehind router3 want to reach 172.30.8.18 then traffic should be sent to 172.30.8.17 which is firewall dmz22 ..once the traffic reaches firewall static will come into picture

Here is a link to configure routes on Router

http://www.cisco.com/en/US/docs/routers/access/1800/1801/software/configuration/guide/routconf.html#wp1123657

Hope this helps

New Member

Re: unable to ping router interfaces which is directly conn to f

hi,

make sure you also open icmp any any on dmz22 and dmz11 interface

since icmp is not allowed on firewall by default

260
Views
4
Helpful
8
Replies