Re: Connectivity through an internal PIX

brianmcatamney · ‎10-19-2005

Hi,

When I try to ping a database server from a web server through an internal Pix 506e I get ‘Deny icmp src outside:WebtoPixDMZ dest inside :Database by access group “acl_sql”

The web server is connected to the outside interface of the Pix while the Database server is connected to the inside interface of the Pix

I can ping from the database to the Web server.

Here is the Pix Config

hostname xxxx

names

name 192.168.7.1 WebtoPixDMZ

name 192.168.7.2 PixDMZtoWeb

name 192.168.8.1 PixDMZtoSrvrp

name 192.168.8.2 Database

access-list acl_sql permit icmp any any echo-reply

access-list acl_sql permit icmp any any time-exceeded

access-list acl_sql permit icmp any any unreachable

access-list acl_sql permit tcp any any eq 1433

icmp permit any outside

icmp permit any inside

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

access-group acl_sql in interface outside

route outside 0.0.0.0 0.0.0.0 PixDMZtoWeb

route outside 192.168.6.0 255.255.255.0 192.168.7.1 1

sh route

outside 0.0.0.0 0.0.0.0 PixDMZtoweb 1 OTHER static

outside 192.168.6.0 255.255.255.0 192.168.7.1 1 OTHER static

outside 192.168.7.0 255.255.255.0 PixDMZtoweb 1 CONNECT static

inside 192.168.8.0 255.255.255.0 PixDMZtoSrvrp 1 CONNECT static

Any ideas where I am going wrong?

thanks

jackko · ‎10-19-2005

static command is missing.

static (inside,outside) netmask 255.255.255.255

clear xlate

then, for the webserver accessing/pinging the database server, you just need to point to the private ip.

nat 0 may not work with inbound traffic as the pix treats it more like a one way translation; whereas static is a two-way thing.

in case you don't want to nat at all, then instead of the static above, you can:

static (inside,outside) netmask

brianmcatamney · ‎10-20-2005

Thanks Jacko, once again.