cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
413
Views
0
Helpful
7
Replies

Host in DMZ cannot access to outside

wongkingmun
Level 1
Level 1

Hi,

I am using PIX 515e with outside IP x.x.x.76. I have a mail server put in DMZ, the global IP would be x.x.x.75, all NAT already been configured and it working fine.

After a period of time(2 - 4 weeks), the mail server cannot access to Internet. The DSL line is up since my Inside host can go online. My Inside host can access and ping Mail Server(with DMZ IP, not global ip). All configuration remain unchange. I had no idea what happening and how to solve it.

I tried to change my Outside IP to x.x.x.75 and it works, mail server can send and receive mail as normal. Then i just switch it back to x.x.x.76. I know this is not a correct way coz the problem will comes back.

Just wonder what is the cause on my case? is there any threshold or limit that cause this? or will a long period of silent (no traffic going through DMZ to Inside or Outside) affect this?

Thank you.

7 Replies 7

jackko
Level 7
Level 7

you mentioned, "the mail server can't access internet". just wondering if you are referring to ping or browsing or both.

also you mentioned you changed the pix outside ip from .76 yo .75 and it worked, as well as the mail server. do you mean you were doing port forwarding?

i understand that the config has not been modified, but would you please post it? just in case.

Thank for reply.

1) I mean that the mail server cannot go through outside interface, both ping and browsing.

2) I just issue "ip address outside x.x.x.75 255.255.255.248" to change ip and all back to normal where my mail server can access to outside (ping and browsing).

3) attached is my config for your reference.

Thank a lot!!

do "de ic t", then click off a ping from the mail server to the internet.

the output of "de ic t" would verify the xlate as well as the routing.

i do not have the PIX with me right now. I cannot test this.

I tried before do "show xlate" when the problem occur, no PAT entry found for the Mail server local IP map to global IP (i try to ping my ISP dns server and browsing). Does this help?

no pat entry at all for the mail server? if so, i guess you should do "de ic t" and kick off the ping from mail server to the internet.

in case the "de ic t" doesn't yield any output related to the mail server pinging, that means the connectivity is lost. if this is the case, try pinging the pix dmz interface from the mail server.

Hi jackko,

The problem come back twice after my first post. i know a bit long time ago, but hope to get your asistant.

My mail server in DMZ cannot access to Internet again. I did the "de ic t", i can see PIX receive the mail server ping request and translate ip from 192.168.1.1 to x.x.x.75. Below is the debug result:

29: ICMP echo-request from dmz:192.168.1.1 to 202.188.0.133 ID=15120 seq=14 length=64

30: ICMP echo-request: translating dmz:192.168.1.1/15120 to outside:x.x.x.75/5

31: ICMP echo-request from dmz:192.168.1.1 to 202.188.0.133 ID=15120 seq=15 length=64

32: ICMP echo-request: translating dmz:192.168.1.1/15120 to outside:x.x.x.75/5

All the inside host can access to Internet. (they are translating to outside int ip x.x.x.76 to route out).

While this happen, i try to disconnect PIX from internet and use my laptop to connect directly to modem to test x.x.x.75 and 76, both IPs is working.

To solve this, i just need to change the PIX outside int ip to x.x.x.75 (some how like trigger the line) and mail server in DMZ can ping out to internet. After that, i change back outside IP to x.x.x.76.

The problem is, is this caused by PIX fail to "global" the x.x.x.75? or ISP side having problem to talk with PIX?

Please help.... thanks a lot!!!!

Any one can help please? Thank you very much.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: