Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Connectivity through an internal PIX

Hi,

When I try to ping a database server from a web server through an internal Pix 506e I get ‘Deny icmp src outside:WebtoPixDMZ dest inside :Database by access group “acl_sql”

The web server is connected to the outside interface of the Pix while the Database server is connected to the inside interface of the Pix

I can ping from the database to the Web server.

Here is the Pix Config

hostname xxxx

names

name 192.168.7.1 WebtoPixDMZ

name 192.168.7.2 PixDMZtoWeb

name 192.168.8.1 PixDMZtoSrvrp

name 192.168.8.2 Database

access-list acl_sql permit icmp any any echo-reply

access-list acl_sql permit icmp any any time-exceeded

access-list acl_sql permit icmp any any unreachable

access-list acl_sql permit tcp any any eq 1433

icmp permit any outside

icmp permit any inside

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

access-group acl_sql in interface outside

route outside 0.0.0.0 0.0.0.0 PixDMZtoWeb

route outside 192.168.6.0 255.255.255.0 192.168.7.1 1

sh route

outside 0.0.0.0 0.0.0.0 PixDMZtoweb 1 OTHER static

outside 192.168.6.0 255.255.255.0 192.168.7.1 1 OTHER static

outside 192.168.7.0 255.255.255.0 PixDMZtoweb 1 CONNECT static

inside 192.168.8.0 255.255.255.0 PixDMZtoSrvrp 1 CONNECT static

Any ideas where I am going wrong?

thanks

2 REPLIES
Gold

Re: Connectivity through an internal PIX

static command is missing.

static (inside,outside) netmask 255.255.255.255

clear xlate

then, for the webserver accessing/pinging the database server, you just need to point to the private ip.

nat 0 may not work with inbound traffic as the pix treats it more like a one way translation; whereas static is a two-way thing.

in case you don't want to nat at all, then instead of the static above, you can:

static (inside,outside) netmask

New Member

Re: Connectivity through an internal PIX

Thanks Jacko, once again.

102
Views
5
Helpful
2
Replies
CreatePlease login to create content