Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix515E: inside Can't reach DMZ host , please help

Thank all those who have helped me solve provious problems, This time I got one more: from an inside host , say 10.1.1.5(mask 255.255.255.0,gateway 10.1.1.254), can not reach a DMZ host, say 30.30.30.51, even I can ping the DMZ host's public ip (70.183.141.200), please help. ( an abbr. configuration here):

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz2 security50

name 209.96.249.10 visinet-su-pc

name 10.1.1.10 paris

name 206.246.202.21 transact.option.net

name 10.1.1.206 corrie-pc

name 206.246.194.29 mail.visi.net

name 10.1.1.77 ed-pc

name 10.1.1.80 ed-wireless

object-group network full-outside-access

network-object host paris

network-object ed-wireless 255.255.255.255

object-group service mail-dns-tcp tcp

port-object eq ssh

port-object eq pop3

port-object eq smtp

object-group service ntp-udp udp

port-object eq domain

port-object eq ntp

object-group service sqlserver-ports tcp

description for sqlserver

port-object range 888 888

port-object range 1433 1433

object-group service mail-only tcp

port-object eq pop3

port-object eq smtp

access-list inside_access_in permit icmp 10.1.1.0 255.255.255.0 any echo

access-list inside_access_in permit udp 10.1.1.0 255.255.255.0 any object-group ntp-udp

access-list inside_access_in permit tcp 10.1.1.0 255.255.255.0 any eq domain

access-list inside_access_in permit tcp 10.1.1.0 255.255.255.0 host mail.cnfei.com object-group mail-only

access-list inside_access_in permit tcp 10.1.1.0 255.255.255.0 host mail.visi.net object-group mail-only

access-list inside_access_in permit icmp 10.1.1.0 255.255.255.0 30.30.30.0 255.255.255.0

access-list inside_access_in deny tcp 10.1.1.0 255.255.255.0 any object-group mail-only

access-list inside_access_in permit ip object-group full-outside-access any

access-list outside_access_in permit icmp any host 70.183.141.200

access-list outside_access_in permit icmp any any echo

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit tcp any host 70.183.141.197 object-group sqlserver-ports

access-list outside_access_in permit tcp any host 70.183.141.198 eq 8190

access-list outside_access_in permit tcp any host 70.183.141.196 eq www

access-list outside_access_in permit tcp any host 70.183.141.196 eq 8109

access-list outside_access_in permit tcp any host 70.183.141.195 eq 4447

access-list outside_access_in permit tcp any host 70.183.141.202

access-list outside_access_in remark for su in visinet

access-list outside_access_in permit tcp host visinet-su-pc host 70.183.141.199

access-list outside_access_in permit tcp host transact.option.net host 70.183.141.194 eq www

access-list outside_access_in deny ip any any

ip address outside 70.169.138.132 255.255.255.0

ip address inside 10.1.1.254 255.255.255.0

ip address dmz2 30.30.30.30 255.255.255.0

global (outside) 10 interface

global (dmz2) 10 interface

nat (inside) 10 10.1.1.0 255.255.255.0 0 0

static (inside,outside) 70.183.141.194 cfserver netmask 255.255.255.255 0 0

static (inside,outside) 70.183.141.195 oscar netmask 255.255.255.255 0 0

static (inside,outside) 70.183.141.196 internal netmask 255.255.255.255 0 0

static (inside,outside) 70.183.141.202 10.1.1.239 netmask 255.255.255.255 0 0

static (inside,outside) 70.183.141.197 fifa netmask 255.255.255.255 0 0

static (inside,outside) 70.183.141.198 sugar netmask 255.255.255.255 0 0

static (inside,outside) 70.183.141.199 paris netmask 255.255.255.255 0 0

static (dmz2,outside) 70.183.141.200 30.30.30.51 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 70.169.138.1 1

: end

any suggestions are greatly appreciated.

sean

3 REPLIES

Re: Pix515E: inside Can't reach DMZ host , please help

Hi suggest.

1.- nat (inside) 0 access-list inside_out_nat0

access-list inside_out_nat0 permit ip 10.1.1.0 255.255.255.0 30.30.30.0 255.255.255.0

2.- Add the below entry on your inside_access_in

permit ip 10.1.1.0 255.255.255.0 30.30.30.0 255.255.255.0

This should give you access to the DMZ hosts when traffic is initiated from the inside.

I hope it helps .. please rate it if it does !!!

New Member

Re: Pix515E: inside Can't reach DMZ host , please help

Thank you very much, fernando,

Yes, The IP works!!! there is a small problem though: I still can't ping from: 10.1.1.5(inside private IP) to 30.30.30.51( DMZ private IP), even I can reach tcp ports from inside host to DMZ host. I have a line to allow ICMP, but still can't ping, please help:

access-list inside_access_in permit icmp 10.1.1.0 255.255.255.0 30.30.30.0 255.255.255.0

(I can ping 30.30.30.51 using its public IP, there is no firewall on the host to block any traffic).

Thanks.

New Member

Re: Pix515E: inside Can't reach DMZ host , please help

Have you tried applying an access-list to the dmz interface? or a static from dmz2 to inside?

115
Views
10
Helpful
3
Replies
CreatePlease to create content