We have a Cisco PIX 515 and we are deploying a Mail server on its DMZ. Our inside users can access the internet freely from the inside, they also can access and ping the server in the DMZ. Outside users can access the server on the DMZ. The Problem is that we cannot ping the outside or access the internet from the DMZ (We can ping inside users from the DMZ). Below is the configuration :
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
ip address outside A.B.C.66 255.255.255.248
ip address inside 220.127.116.11 255.255.0.0
ip address dmz 192.168.0.1 255.255.255.0
global (outside) 1 A.B.C.67 netmask 255.255.255.248
"I also tried to nat the server on the DMZ with a separate global like this :
global (outside) 2 A.B.C.69 netmask 255.255.255.248
nat (DMZ) 1 192.168.0.2 255.255.255.255 0 0
but also I couldn't ping the outside. "
- If you use nat (DMZ) 1, you should use global (outside) 1, not 2. If not, you can use nat (DMZ) 2 and global (oustide) 2. Make sure it doesn't overlaps with nat (inside) 1.
- you can use command "show xlate" to see whether the translation is correct or not.
- whenever changes made on the translation table, you should also clear the translation to reset the table. command: clear xlate.
- If your static translation is already correct, check your inbound and outbound access-list. make sure you allow icmp both from dmz server and also to dmz server.
If you want to troubleshoot address translation only, you can also disable the access-list and use conduit command instead. Remember that access-list has higher predency than conduit. So you must make sure that access-list is disable first before using the conduit. (you can remove the access-group temporarily)
If your pinging works successfully, that means your translation is already correct and you can proceed looking at the access-list.
I am very gratefull for all your help. The problem was solved by adding an access-list on the outside interface that permits all icmp traffic back in to the DMZ. I forgot that. For the Ping to work you have to open all of these:
access-list FromOut permit icmp any host A.B.C.68 echo-reply
access-list FromOut permit icmp any host A.B.C.68 source-quench
access-list FromOut permit icmp any host A.B.C.68 unreachable
access-list FromOut permit icmp any host A.B.C.68 time-exceeded
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :