Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can't ping server in DMZ1 from Inside interface

Hi all, I cannot ping a server that has ip 62.15.25.25 from a server that exists on an Inside interface with the ip of 172.17.2.50.

In our PIX 515, I have the following references to our references to either server.

nat (inside) 2 172.17.2.50 255.255.255.255 0 0

static (inside,outside) tcp 62.15.25.26 smtp 172.17.2.50 smtp netmask 255.255.255.255 0 0

aaa-server authinbound (inside) host 172.17.2.50 testkey timeout 10

access-list 101 permit tcp host 62.15.25.25 any eq smtp

access-list 101 permit ip host 62.15.25.25 host 172.16.2.1

access-list 101 permit ip host 62.15.25.25 host 172.17.1.32

access-list 30 permit tcp any host 62.15.25.25 eq domain

access-list 30 permit udp any host 62.15.25.25 eq domain

static (dmz1,outside) 62.15.25.25 62.15.25.25 netmask 255.255.255.255 0 0

static (inside,dmz1) 62.15.25.25 172.17.2.120 netmask 255.255.255.255 0 0

Any ideas?

8 REPLIES
Gold

Re: Can't ping server in DMZ1 from Inside interface

you've only posted bits of the config....which are useless without other parts.

whatever acl is applied to your dmz interface, add something like:

access-list acl_name permit icmp any any echo-reply

or turn on icmp inspection if running 7.x or later.

New Member

Re: Can't ping server in DMZ1 from Inside interface

I tried the echo-reply and it didn't work.

Green

Re: Can't ping server in DMZ1 from Inside interface

What is this static supposed to do?

static (inside,dmz1) 62.15.25.25 172.17.2.120 netmask 255.255.255.255 0 0

All you should need is...

static (inside,dmz1) 172.17.2.0 172.17.2.0 netmask 255.255.255.0

Then ping 62.15.25.25

New Member

Re: Can't ping server in DMZ1 from Inside interface

I'm not sure what that static does, I am new to PIX.

New Member

Re: Can't ping server in DMZ1 from Inside interface

The interesting thing is that all other servers on the 172.17.2.0 subnet can ping the 62.15.25.25 address....Just 172.17.2.50 cannot ping it.

New Member

Re: Can't ping server in DMZ1 from Inside interface

I found this statement in the PIX and I don't know what it does. Can someone explain what it does for me?

nat (inside) 2 172.17.2.50 255.255.255.255 0 0

I removed it from the PIX and my 172.17.2.50 server was then able to ping the 62.15.25.25 address.

Any ideas?

Green

Re: Can't ping server in DMZ1 from Inside interface

There should also be a corresponding global statement with the number 2.

global (xxxxx) 2 ....

New Member

Re: Can't ping server in DMZ1 from Inside interface

I do have global statements that look like this, but they don't reference the ip address of 172.17.2.50.

global (outside) 2 xxx.xxx.xxx.xxx

global (outside) 2 xxx.xxx.xxx.xxx

global (outside) 2 xxx.xxx.xxx.xxx

These global statements only reference extneral ip addresses, but not the DMZ.

151
Views
0
Helpful
8
Replies