I have a PIX 525 configured with 3 interfaces (inside,outside,DMZ). This PIX is connected to a cisco core 4100R switch. I want to let a specific VLAN with a subnet (10.2.0.0) to remote desktop and ping the DMZ web and mail servers. However, after i created a dynamic NAT and access-list, users in this VLAN still not ping or RDP to the servers. Please check the following config:
global (outside) 1 192.168.1.11
global (dmz) 1 10.11.0.130-10.11.0.135 netmask 255.255.255.0
nat (inside) 1 10.2.0.0 255.255.0.0
access-list outgoing extended permit ip 10.2.0.0 255.255.0.0 10.11.0.0 255.255.0.0
access-list outgoing extended permit icmp 10.2.0.0 255.255.0.0 10.11.0.0 255.255.0.0 echo
access-list outgoing extended permit icmp 10.2.0.0 255.255.0.0 10.11.0.0 255.255.0.0 echo-reply
access-group outgoing in interface inside
DMZ : 10.11.0.0/24
inside VLAN: 10.2.0.0/16
Web server: 10.11.0.13
Mail server: 10.11.0.12
Please correct me if i am wrong.
Your configuration seems ok to me...
Maybe, you can:
- try the command "clear xlate" which clears the translation table on your PIX
- make sure that you can RDP and ping your servers, EVEN if you are in the DMZ (try with a host in the DMZ)
- Check PIX logs and verify that no packets are dropped
- No nat from the inside to the DMZ:
static (inside,dmz) 10.2.0.0 10.2.0.0 netmask 255.255.0.0 0 0 and check if it works
Maybe other people will have accurate suggestions...
Thanks to give us update about your case.
What version of code is this PIX running? Your config looks ok with regards to traffic going from the inside to DMZ. Depending on the version traffic may be treated differently.
Actually, the mask in the access-list is not a real subnet mask but it's a wild card mask to identify between hosts and subnets and that's it. In global commands, the mask is the real subnet mask.
My PIX is running OS 7.0(1) and i am really wondering why it's not working since my config is okay. And yes, i can RDP and ping the servers from a host in the DMZ too.
Any other suggestions?!!
are there other ACL entries in your access-list thats applied to the inside interface?? assuming a security level of 100, all traffic to other interfaces should be allowed...w/o an ACL.
you probably dont need to nat when going from the inside to the dmz interface...as one other person suggested, just static nat the 10.2.0.0 subnet to itself, or do it with a nat 0 command (which is what i use to get to my dmz). i assume your pix knows how to get back to the 10.2.0.0 subnet? (a ping from the pix to a 10.2.x.x host can confirm this).
You need to open the echo reply path from the dmz to the inside network,
access-list incoming extended permit icmp 10.11.0.0 255.255.0.0 10.11.0.0 255.255.0.0 echo-reply
access-group incoming in interface dmz
check if the routing ok or not, (route inside)...
For the remote desktop, you can also check whether the service is running on the server or not.
I hope this helps, please rate if it does.
Yes,i already opened the icmp echo reply path from dmz to inside and nothing new.
access-list DMZ_access_in permit icmp 10.11.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-group DMZ_access_in in interface dmz
But thanks for your suggestion anyways :)
Hope more suggestions are on my way soon.
Notice the destination which I have included in my extended access-list,
access-list DMZ_access_in permit icmp 10.11.0.0 255.255.0.0 10.11.0.0 255.255.0.0 echo-reply
This is because when you access from a low security zone to a high security zone you need to access the translated IP not the actual IP.
Please include that access-list... if confused include the following instead, just for testing:
access-list DMZ_access_in permit icmp any any echo-reply
Don't forget the access-group command...
hello can you do a show conn detail when you are attempting to access the Terminal Server ?
post the output plz ( hide real IP addresses if public )
Hi .. you cold try this assuming security for the inside interface is higher that the security for the DMZ.
Make sure you enable the default policy map for providing application inspection. Make sure inspect icmp is present
inspect h323 ras
inspect icmp error
inspect h323 h225
service-policy global-policy global
access-list outgoing extended permit icmp 10.2.0.0 255.255.0.0 10.11.0.0 255.255.255.0
access-list outgoing extended permit tcp 10.2.0.0 255.255.0.0 10.11.0.0 255.255.255.0 eq 3389
access-group outgoing in interface inside
access-list Inside_Out_nonat extended permit ip 10.2.0.0 255.255.0.0 10.11.0.0 255.255.255.0
nat (inside) 0 access-list Inside_Out_nonat
I hope it helps .. please rate it if it does !!!
Please allow me to explain once again. I want to RDP and ping the DMZ servers by their same ip addresses. i.e RDP/Ping to 10.11.0.12 (mail srv) and RDP/Ping to 10.11.0.13 (web srv). I used all the kind of NATs in the world but it still not working for sorry.
I think the best way to RDP/Ping with the same servers addresses is the NAT exemption..
Please check this out!!
access-list Exempt extended permit ip 10.11.0.0 255.255.0.0 10.2.0.0 255.255.0.0
nat (dmz) 0 access-list Exempt
But,the problem still exist.