Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

pix 525.cannot ping from host on dmz int to host on inside int

hi, my name is anton.i cannot ping my inside interface hosts from hosts on dmz,also cannot get thru from hosts on inside interface to hosts on dmz.

i am testing the pix so i have all access-list set to ''permit ip any any'' .i have default route pointed io outside router,nat command:

nat (inside) 1 00

i have global statement for outside int and dmz

static routes to dmz and inside

what am i doing wrong?

3 REPLIES
New Member

Re: pix 525.cannot ping from host on dmz int to host on inside i

hi, my name is anton.i cannot ping my inside interface hosts from hosts on dmz,also cannot get thru from hosts on inside interface to hosts on dmz.

i am testing the pix so i have all access-list set to ''permit ip any any'' .i have default route pointed io outside router,nat command:

nat (inside) 1 00

i have global statement for outside int and dmz

static routes to dmz and inside

what am i doing wrong?

New Member

Re: pix 525.cannot ping from host on dmz int to host on inside i

Hi Anton,

From what you've described, if you change your nat (inside) 1 0 0 to nat (inside) 0 0 0 then your inside hosts will be able to pint the DMZ hosts. However you will need to add a static command for each host on the inside network that you want your DMZ hosts to be able to reach.

Something to keep in mind, when going from a higher level security interface (i.e. inside) to a lower level security interface (i.e. dmz) you need a nat statement that matches the inside hosts on the inside interface and a Global statement on the DMZ interface.

For example:

nat (inside) 1 0 0 <--- applies to any inside host

global (DMZ) 1 10.2.2.105-10.2.2.254 netmask 255.255.255.0

An exception is the special NAT Zero or NAT 0, where IP's won't be NATed (as I suggested above to help you make progress quickly). With NAT 0, you don't need the global command.

Now, when going in the other direction you need to use the static command and an access-list. You say you've already got the access-list, now add the statics.

Without going into too much detail, I suggest you start with the following link. It should give you everything you need to get up and running.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/config.htm

I suggest erasing whatever configuration you currently have and starting over following the above link. You'll end up with a more secure configuration, even if you are new to the PIX.

Regards,

Thomas

New Member

Re: pix 525.cannot ping from host on dmz int to host on inside i

hi Thomas!

thank you very much for your response it really helped i did have right nat command and global,but i did not have right static command to map hosts on inside interface to hosts on dmz.Now it is working.

once again thanks a lot

312
Views
0
Helpful
3
Replies