cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1304
Views
0
Helpful
26
Replies

DMZ setup

Gatling_uk
Level 1
Level 1

Hello everyone,

I have a small problem I am hoping someone can offer some assistance with.

I have set up a test network using a pix 515e, and a 3750g switch. I have 1 interface on the pix in the 10.10.1.1 network, which is my internal lan. I have another interface on the pix with IP address 10.10.2.1, which is my DMZ network.

Both interfaces patch into the 3750g, the internal pix interface into port 1/0/1, and the DMZ interface into 1/0/15. Vlan 1 on the switch has IP address 10.10.1.250.

I also have 2 servers in vlan99 (dmz vlan) on the switch, which 1/0/15 is also a member of. Vlan 99 has IP address 10.10.2.250. The 2 servers have a default gateway of 10.10.2.1 (dmz interface on the pix). These 2 servers cannot ping the default gateway, but I can ping the servers from the switch.

There is only 1 route on the switch which is the default route to 10.10.1.1.

Does anyone know why I cannot reach the DMZ interface on the pix from the switch? ICMP is allowed on the pix interface.

Any assistance would be greatly appreciated.

Thanks

n

26 Replies 26

All of the first 4 points are correct.

The mac addresses do not appear in the arp cache on either of the servers or the firewall.

I cannot ping anything on the inside interface of the pix.

I have verified nothing is reaching the pix by the observing the input/output counters as I send data.

DMZ interface is up/up.

Christopher

Can you try pinging the server from the pix ?

Can you post output of

"ipconfig /all" from the server you are using to test.

Can you post a "sh ip int brief" from the 3750 ?

Sorry to ask for all this info but it is needed.

Jon

I can't ping the server from the pix.

I can ping one server from another in the dmz, which goes through the 3750, but I can't ping the 3750 from the servers, on either the vlan 1 ip address, or the vlan 99 ip address (i have given vlan 99 an ip address in the 10.10.2.x range again). I can't ping the servers from the switch either.

IPconfig/all on server 1 reads:

ip address: 10.10.2.100

subnet mask: 255.255.255.0

default gateway: 10.10.2.1

primary dns: 10.10.1.50

secondary dns: 10.10.1.51

I can ping server 2 on address 10.10.2.101

Can you post the FULL config for the 3750g switch.

Jon

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname switch2

!

enable secret 5 $1$rMLz$axMm2ss8kb3k3f1

!

no aaa new-model

switch 1 provision ws-c3750g-48ts

system mtu routing 1500

vtp mode transparent

ip subnet-zero

!

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

!

vlan internal allocation policy ascending

!

vlan 5

name vMotion

!

vlan 29

name Colo Network

!

vlan 77

name Management

!

vlan 99

name DMZ

!

!

interface GigabitEthernet1/0/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/2

!

interface GigabitEthernet1/0/3

!

interface GigabitEthernet1/0/4

!

interface GigabitEthernet1/0/5

!

interface GigabitEthernet1/0/6

!

interface GigabitEthernet1/0/7

!

interface GigabitEthernet1/0/8

!

interface GigabitEthernet1/0/9

!

interface GigabitEthernet1/0/10

!

interface GigabitEthernet1/0/11

!

interface GigabitEthernet1/0/12

!

interface GigabitEthernet1/0/13

!

interface GigabitEthernet1/0/14

!

interface GigabitEthernet1/0/15

!

interface GigabitEthernet1/0/16

!

interface GigabitEthernet1/0/17

switchport access vlan 77

switchport mode access

!

interface GigabitEthernet1/0/18

switchport access vlan 77

!

interface GigabitEthernet1/0/19

switchport access vlan 77

!

interface GigabitEthernet1/0/20

switchport access vlan 77

!

interface GigabitEthernet1/0/21

switchport access vlan 77

!

interface GigabitEthernet1/0/22

switchport access vlan 77

!

interface GigabitEthernet1/0/23

switchport access vlan 77

!

interface GigabitEthernet1/0/24

switchport access vlan 77

!

interface GigabitEthernet1/0/25

switchport access vlan 77

!

interface GigabitEthernet1/0/26

switchport access vlan 77

!

interface GigabitEthernet1/0/27

switchport access vlan 77

!

interface GigabitEthernet1/0/28

switchport access vlan 5

!

interface GigabitEthernet1/0/29

switchport access vlan 5

!

interface GigabitEthernet1/0/30

switchport access vlan 5

!

interface GigabitEthernet1/0/31

switchport access vlan 5

!

interface GigabitEthernet1/0/32

switchport access vlan 5

!

interface GigabitEthernet1/0/33

!

interface GigabitEthernet1/0/34

!

interface GigabitEthernet1/0/35

!

interface GigabitEthernet1/0/36

!

interface GigabitEthernet1/0/37

!

interface GigabitEthernet1/0/38

!

interface GigabitEthernet1/0/39

switchport access vlan 29

!

interface GigabitEthernet1/0/40

switchport access vlan 29

!

interface GigabitEthernet1/0/41

switchport access vlan 29

!

interface GigabitEthernet1/0/42

!

interface GigabitEthernet1/0/43

switchport access vlan 99

!

interface GigabitEthernet1/0/44

switchport access vlan 99

!

interface GigabitEthernet1/0/45

switchport access vlan 99

!

interface GigabitEthernet1/0/46

switchport access vlan 99

!

interface GigabitEthernet1/0/47

!

interface GigabitEthernet1/0/48

!

interface GigabitEthernet1/0/49

!

interface GigabitEthernet1/0/50

!

interface GigabitEthernet1/0/51

!

interface GigabitEthernet1/0/52

!

interface Vlan1

ip address 10.10.1.250 255.255.255.0

!

interface Vlan5

no ip address

!

interface Vlan77

no ip address

!

interface Vlan99

ip address 10.10.2.250 255.255.255.0

!

ip default-gateway 10.10.1.1

ip classless

no ip http server

!

!

!

control-plane

!

!

line con 0

password 7 121E551510075F

login

line vty 0 4

password 7 045C5B040D2D1F

login

line vty 5 15

login

!

end

Just to rule out a switch issue can you

1) remove "ip default-gateway 10.10.1.1"

2) add "ip route 0.0.0.0 0.0.0.0 10.10.1.1

3) enable ip routing on the 3750 eg "ip routing" and then retest ping from server in vlan 99 to vlan 99 interface on switch.

Jon

I have done all of the above.

I can now ping the switch from the servers, and the servers from the switch, but I still cannot ping the dmz interface from either the switch or the servers, or vice versa.

I also still cannot ping hosts on the internal network from the dmz servers.

Thanks

If you want to try and ping inside servers from DMZ

1) add this to pix config "static (inside,dmz) 10.10.1.0 10.10.1.0 netmask 255.255.255.0

2) Shutdown the vlan 99 interface on your switch.

Jon

I unfortunately cannot do that right now.

I have just noticed one other thing though..

When I add the port on the 3750 that the pix dmz interface patches into to the dmz vlan it drops the entry from the cam table, but it still has an entry for the mac address associated with another port that connects to a management switch.

To clarify, port 43 on the switch is added to vlan 99 and instantly it loses that association in the cam table. There is another entry in the cam table to the dmz int mac-address via int 17 on the switch which connects to a management network.

Okay, that's not right. Are you sure the cables are connected in correctly. It may be time to go back to basics. What happens if you allocate int 17 to vlan 99 ?

Jon

switch2#sh ip int b

Interface IP-Address OK? Method Status Protocol

Vlan1 10.10.1.250 YES NVRAM up up

Vlan5 unassigned YES NVRAM up up

Vlan77 unassigned YES NVRAM up up

Vlan99 10.10.2.250 YES manual up up

GigabitEthernet1/0/1 unassigned YES unset up up

GigabitEthernet1/0/2 unassigned YES unset up up

GigabitEthernet1/0/3 unassigned YES unset up up

<>

GigabitEthernet1/0/15 unassigned YES unset up up

GigabitEthernet1/0/16 unassigned YES unset up up

GigabitEthernet1/0/17 unassigned YES unset up up

GigabitEthernet1/0/18 unassigned YES unset up up

GigabitEthernet1/0/19 unassigned YES unset up up

GigabitEthernet1/0/20 unassigned YES unset up up

GigabitEthernet1/0/21 unassigned YES unset up up

GigabitEthernet1/0/22 unassigned YES unset up up

GigabitEthernet1/0/23 unassigned YES unset up up

GigabitEthernet1/0/24 unassigned YES unset up up

GigabitEthernet1/0/25 unassigned YES unset up up

GigabitEthernet1/0/26 unassigned YES unset up up

GigabitEthernet1/0/27 unassigned YES unset up up

GigabitEthernet1/0/28 unassigned YES unset up up

GigabitEthernet1/0/29 unassigned YES unset up up

GigabitEthernet1/0/30 unassigned YES unset up up

GigabitEthernet1/0/31 unassigned YES unset up up

GigabitEthernet1/0/32 unassigned YES unset up up

GigabitEthernet1/0/33 unassigned YES unset up up

GigabitEthernet1/0/34 unassigned YES unset up up

GigabitEthernet1/0/35 unassigned YES unset up up

GigabitEthernet1/0/36 unassigned YES unset down down

GigabitEthernet1/0/37 unassigned YES unset down down

GigabitEthernet1/0/38 unassigned YES unset down down

GigabitEthernet1/0/39 unassigned YES unset up up

GigabitEthernet1/0/40 unassigned YES unset up up

GigabitEthernet1/0/41 unassigned YES unset up up

GigabitEthernet1/0/42 unassigned YES unset down down

GigabitEthernet1/0/43 unassigned YES unset up up

GigabitEthernet1/0/44 unassigned YES unset up up

GigabitEthernet1/0/45 unassigned YES unset up up

GigabitEthernet1/0/46 unassigned YES unset up up

GigabitEthernet1/0/47 unassigned YES unset down down

GigabitEthernet1/0/48 unassigned YES unset down down

GigabitEthernet1/0/49 unassigned YES unset down down

GigabitEthernet1/0/50 unassigned YES unset down down

GigabitEthernet1/0/51 unassigned YES unset down down

GigabitEthernet1/0/52 unassigned YES unset down down

One other thing..

The pix knows that the 10.10.2.0 network is directly connected to it out of it's dmz interface, but I can't ping 10.10.2.250 (dmz vlan ip address on the switch) from the pix.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco