Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Weird firewall behavior is drive me mad

Hi folk, I have a PIX 525 firewall which is working completely weird.

The device is running the PIX Appliance software 8.0(4) and the problem is that some hosts from the inside can reach a server in the DMZ and others can't despite the static NAT from the inside to DMZ with their own address is declared with a netmask that reach all hosts.

I have sanity check that no firewall in the server is running

2)The ACL permiting traffic from the DMZ is good

3)I installed wireshark in the server and it receive and response the packets but the host in the inside side do not receive the answer to ping that it sent.

I ran also packet-tracer and the flow of traffic tested passed smoothly.

I ran capture packet to see if some of them are droped and nothing appears.

If someone in this forums knows that this version has a bug that make the firewall works anormally please let me know. Or if you have other suggestion or if you want to see the configuration please let me know.

Thanks.

1 REPLY
Cisco Employee

Re: Weird firewall behavior is drive me mad

Do you have inspect icmp enabled?

issue "sh run policy-map" and see if it is. If not pls. enable that.

So some inside hosts receive the ICMP response from this same DMZ server while others do not?

since you are running 8.x code you can try to do captures on the ASA and see if the packets arrive on the DMZ interface and if they are sent out of the inside interface.

cap capin int inside match icmp any host 10.10.10.1

cap capdmz int dmz match icmp any host 10.10.10.1

do a test ping from the inside host 10.10.10.1 to the dmz server and see that the captures show

sh cap capin

sh cap capdmz

you can refer this link for further capture help.

http://supportwiki.cisco.com/ViewWiki/index.php/Packet_capture

120
Views
0
Helpful
1
Replies
CreatePlease to create content