05-14-2008 10:23 AM - edited 03-09-2019 08:42 PM
Hi all, I cannot ping a server that has ip 62.15.25.25 from a server that exists on an Inside interface with the ip of 172.17.2.50.
In our PIX 515, I have the following references to our references to either server.
nat (inside) 2 172.17.2.50 255.255.255.255 0 0
static (inside,outside) tcp 62.15.25.26 smtp 172.17.2.50 smtp netmask 255.255.255.255 0 0
aaa-server authinbound (inside) host 172.17.2.50 testkey timeout 10
access-list 101 permit tcp host 62.15.25.25 any eq smtp
access-list 101 permit ip host 62.15.25.25 host 172.16.2.1
access-list 101 permit ip host 62.15.25.25 host 172.17.1.32
access-list 30 permit tcp any host 62.15.25.25 eq domain
access-list 30 permit udp any host 62.15.25.25 eq domain
static (dmz1,outside) 62.15.25.25 62.15.25.25 netmask 255.255.255.255 0 0
static (inside,dmz1) 62.15.25.25 172.17.2.120 netmask 255.255.255.255 0 0
Any ideas?
05-14-2008 11:20 AM
you've only posted bits of the config....which are useless without other parts.
whatever acl is applied to your dmz interface, add something like:
access-list acl_name permit icmp any any echo-reply
or turn on icmp inspection if running 7.x or later.
05-14-2008 11:26 AM
I tried the echo-reply and it didn't work.
05-14-2008 11:51 AM
What is this static supposed to do?
static (inside,dmz1) 62.15.25.25 172.17.2.120 netmask 255.255.255.255 0 0
All you should need is...
static (inside,dmz1) 172.17.2.0 172.17.2.0 netmask 255.255.255.0
Then ping 62.15.25.25
05-14-2008 11:52 AM
I'm not sure what that static does, I am new to PIX.
05-14-2008 11:53 AM
The interesting thing is that all other servers on the 172.17.2.0 subnet can ping the 62.15.25.25 address....Just 172.17.2.50 cannot ping it.
05-15-2008 05:10 AM
I found this statement in the PIX and I don't know what it does. Can someone explain what it does for me?
nat (inside) 2 172.17.2.50 255.255.255.255 0 0
I removed it from the PIX and my 172.17.2.50 server was then able to ping the 62.15.25.25 address.
Any ideas?
05-15-2008 05:47 AM
There should also be a corresponding global statement with the number 2.
global (xxxxx) 2 ....
05-15-2008 06:27 AM
I do have global statements that look like this, but they don't reference the ip address of 172.17.2.50.
global (outside) 2 xxx.xxx.xxx.xxx
global (outside) 2 xxx.xxx.xxx.xxx
global (outside) 2 xxx.xxx.xxx.xxx
These global statements only reference extneral ip addresses, but not the DMZ.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: