I am having a problem that stems from trying to set up a WebSense server in our DMZ. It seems as though the DMZ servers cannot ping the DMZ interface of the PIX, and the PIX cannot ping (or contact of any sort) any of the DMZ servers. The servers in the DMZ can ping each other fine. The DMZ servers can access the internet, internal PCs (according to access lists), and bascially have all appropriate functionality. The DMZ inerface IP address is the gateway for all DMZ servers. The servers can resolve the correct MAC address when attempting to ping the DMZ interface, but get no response. Ditto for the PIX trying to ping the server: arp resolves, but no response. My DMZ's first access list statement says permit icmp any any, so I am pretty sure it's not an access list issue. For troubleshooting purposes, I even added an ip permit any any to the end of it and still the same problem. Sorry this was so lengthy, but wanted to give as much info as possible. I am being pressured to get WebSense working in the next two weeks, but have to resolve this issue first, since the PIX keeps sending SNMPs to Syslog server saying it cannot contact URL server. HELP !!!!
OK, I didn't have those commands in, but I don't have them in on any of the other interfaces, yet all hosts behind those respective interfaces can still ping the interface itself. But I DID add the aforementioned statements with no change in the behavior of dmz hosts or the PIX to the dmz. Any other suggestions ?
Try removing the permit icmp any any from the DMZ zone. By default the PIX is suppose to allow any host connected to that interface to ping it. Do a show route statement and make sure the PIX knows how to get to the DMZ, ie. correct subnet range listed for that interface. Are you using any conduit statements? You do not want to be using conduits and access-list togethor.
OK, I have removed the access-list statement allowing icmp traffic. The reason it was there is that (I was told) if the icmp packet hits that rule first, it will reduce the amount of processing time for that packet. May not be true, but I didn't know any better. At any rate, I have removed the statement, verified that the PIX knows the attached subnet is connected to the DMZ interface, and that we aren't using conduit and access list statements. No change in behavior of pings to DMZ hosts from PIX and PIX to hosts. I also added the icmp permit (ip address) (netmask) echo dmz and echo-reply dmz and THAT didn't make a difference either ! Any other thoughts ?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...