Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Question about configuring my dmz

Hi Guys,

I am researching this on the web and books, but I thought I would ask you because you always help out so much. I am trying to configure my dmz (3 port on pix firewall) and running into some snags.

inside - 192.168.1.0/24

outside - 12.111.197.1

dmz - 192.168.2.0/24 interface is .1

i have a hub plugged into the 3rd port on my pix and i have a host 192.168.2.2 on that hub. problem: I can't seem to get out to the internet from that machine. (i do have access list allowing this box to browse the web)

What am I doing wrong?

Thanks

Jenn

15 REPLIES
New Member

Re: Question about configuring my dmz

A copy of the config file would help. Do you have NAT set up on the DMZ interface?

New Member

Re: Question about configuring my dmz

Yes i have the nat configured for this client

static (dmz,outside) 12.111.197.49 192.168.2.2 netmask 255.255.255.255 0 0

which parts of the config do you need to see?

New Member

Re: Question about configuring my dmz

do you have a nat statment for the dmz?

Nat (DMZ) 1 0 0 will allow all computers in the dmz use nat. The static command creates the static mapping between the outside and dmz ip's, but the nat statement is need to turn nat on the dmz interface. You can also set the nat statement to allow a single computer or a range of ip's to use nat.

New Member

Re: Question about configuring my dmz

This should help:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/bafwcfg.htm#xtocid22

and then goto Establishing Outbound Connectivity with NAT and PAT.

Also, just a suggestion "x" out your public IP addresses for your own security.

Hope this helps.

New Member

Re: Question about configuring my dmz

Ok i just added nat (dmz) 1 0 0. Question - I cannot ping 192.168.2.2 from the pix box. is this normal?

New Member

Re: Question about configuring my dmz

can that device access the outside network now? You may have to issue a clear xlate command to clear any nat mappings. Are there any ACL's in place on the DMZ?

New Member

Re: Question about configuring my dmz

Ok this could be my problem:

access-list outside_access_in permit icmp any host xx.xxx.xxx.xxx

access-list dmz_access_in permit icmp host 192.168.2.2 any

For testing, I am allowing icmp packets out. When I do a debug icmp trace, i see the packets coming in, but not going out.

New Member

Re: Question about configuring my dmz

That access list should allow you to ping that one computer and it's reply should be allowed to the PIX. What type of ICMP responce are you getting when you ping?

New Member

Re: Question about configuring my dmz

rquest timed out

New Member

Re: Question about configuring my dmz

Quick question, what is the actual command you are using to ping the device? Remember you have to enter the interface in the ping command that you are pinging out of.

ping

New Member

Re: Question about configuring my dmz

yes when i type ping dmz 192.168.2.2 i get no response on the pix box.

when i go to the server, i can't even ping 192.168.2.1.

i did confirm that i have the hub plugged ito the correct interface.

New Member

Re: Question about configuring my dmz

Ok this got me thinking , i verified the subnet mask on the client pc and it was wrong :( i am a IDIOT! thanks for helping!

New Member

Re: Question about configuring my dmz

no worries!! just glad you got it figured out. that is all the matters.

New Member

Re: Question about configuring my dmz

you guys are the best! thanks!

New Member

Re: Question about configuring my dmz

is the default gateway on the server setup correctly? good cable? change port on hub? something along these lines.

122
Views
0
Helpful
15
Replies