Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

dmz to inside

hi:

I posted a previous config about the following below. However, I seem

to be doing something wrong.

I am trying to let telnet traffic from the dmz to the inside network from

a particular machine, the config below is only a test for now so I

allowed all tcp traffic.

Any way ping works from the dmz to inside but telnet doesn't work.

Anyone have any ideas. Thanks again..

access-list from-dmz-in permit tcp 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0 eq telnet

access-list from-dmz-in permit icmp any any

static (inside,dmz) 192.168.100.50 192.168.100.50 netmask 255.255.255.255 0 0

access-group from-dmz-in in interface dmz

192.168.100.50 -----> this is the internal dns

4 REPLIES
Cisco Employee

Re: dmz to inside

Config looks OK, and routing seems OK if you can ping to it from the DMZ. Are you sure you can telnet to this server from a box on the inside segment even?

If telnet works from the inside but not from the DMZ, then enable logging on the PIX and send us the output when you try and telnet, it'll show us what's going on.

Do the following:

> conf t

> logging on

> logging buffered debug

telnet to inside server from DMZ host.

> sho logging

New Member

Re: dmz to inside

hi:

here is the message that I got from the inside when I tried to ping the

host on the dmz.

nb. I have a nat (dmz) 1 192.168.200.x 192.x.x.x.x -> Hence this should

by default allow higher security to access the lower security interface. I guess

there is something I'm not seeing.

302013: Built outbound TCP connection 1063235 for dmz:192.168.200.6/23 (192.168.200.6/23) to inside:192.168.100.129/3910 (192.168.200.43/3910)

302014: Teardown TCP connection 1063235 for dmz:192.168.200.6/23 to inside:192.168.100.129/3910 duration 0:00:00 bytes 0 TCP Reset-O

Cisco Employee

Re: dmz to inside

This message is NOT what you got when you tried to ping, this message is detailing a TCP Telnet connection, this is I presume when you tried to Telnet?

Anyway, it shows the PIX opening up a connection, but then tearing it down straight away because it received a TCP RST packet from the host on the DMZ interface (Reset-O). Looks like the PIX is doing the right thing, and the host you're trying to telnet to either doesn't allow Telnet's at all, or doesn't allow telnet's from certain subnets. Does it have something like TCP Wrappers installed on it?

You also didn't answer my previous question, can you telnet directly to this host from a host on the DMZ subnet, taking the PIX out of the equation?

New Member

Re: dmz to inside

TCP Wrappers was the problem. Thanks guys for your help.

Cheers

109
Views
0
Helpful
4
Replies