Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

dmz to inside


I posted a previous config about the following below. However, I seem

to be doing something wrong.

I am trying to let telnet traffic from the dmz to the inside network from

a particular machine, the config below is only a test for now so I

allowed all tcp traffic.

Any way ping works from the dmz to inside but telnet doesn't work.

Anyone have any ideas. Thanks again..

access-list from-dmz-in permit tcp eq telnet

access-list from-dmz-in permit icmp any any

static (inside,dmz) netmask 0 0

access-group from-dmz-in in interface dmz -----> this is the internal dns

Cisco Employee

Re: dmz to inside

Config looks OK, and routing seems OK if you can ping to it from the DMZ. Are you sure you can telnet to this server from a box on the inside segment even?

If telnet works from the inside but not from the DMZ, then enable logging on the PIX and send us the output when you try and telnet, it'll show us what's going on.

Do the following:

> conf t

> logging on

> logging buffered debug

telnet to inside server from DMZ host.

> sho logging

New Member

Re: dmz to inside


here is the message that I got from the inside when I tried to ping the

host on the dmz.

nb. I have a nat (dmz) 1 192.168.200.x 192.x.x.x.x -> Hence this should

by default allow higher security to access the lower security interface. I guess

there is something I'm not seeing.

302013: Built outbound TCP connection 1063235 for dmz: ( to inside: (

302014: Teardown TCP connection 1063235 for dmz: to inside: duration 0:00:00 bytes 0 TCP Reset-O

Cisco Employee

Re: dmz to inside

This message is NOT what you got when you tried to ping, this message is detailing a TCP Telnet connection, this is I presume when you tried to Telnet?

Anyway, it shows the PIX opening up a connection, but then tearing it down straight away because it received a TCP RST packet from the host on the DMZ interface (Reset-O). Looks like the PIX is doing the right thing, and the host you're trying to telnet to either doesn't allow Telnet's at all, or doesn't allow telnet's from certain subnets. Does it have something like TCP Wrappers installed on it?

You also didn't answer my previous question, can you telnet directly to this host from a host on the DMZ subnet, taking the PIX out of the equation?

New Member

Re: dmz to inside

TCP Wrappers was the problem. Thanks guys for your help.