I am researching this on the web and books, but I thought I would ask you because you always help out so much. I am trying to configure my dmz (3 port on pix firewall) and running into some snags.
inside - 192.168.1.0/24
outside - 184.108.40.206
dmz - 192.168.2.0/24 interface is .1
i have a hub plugged into the 3rd port on my pix and i have a host 192.168.2.2 on that hub. problem: I can't seem to get out to the internet from that machine. (i do have access list allowing this box to browse the web)
What am I doing wrong?
Yes i have the nat configured for this client
static (dmz,outside) 220.127.116.11 192.168.2.2 netmask 255.255.255.255 0 0
which parts of the config do you need to see?
do you have a nat statment for the dmz?
Nat (DMZ) 1 0 0 will allow all computers in the dmz use nat. The static command creates the static mapping between the outside and dmz ip's, but the nat statement is need to turn nat on the dmz interface. You can also set the nat statement to allow a single computer or a range of ip's to use nat.
This should help:
and then goto Establishing Outbound Connectivity with NAT and PAT.
Also, just a suggestion "x" out your public IP addresses for your own security.
Hope this helps.
can that device access the outside network now? You may have to issue a clear xlate command to clear any nat mappings. Are there any ACL's in place on the DMZ?
Ok this could be my problem:
access-list outside_access_in permit icmp any host xx.xxx.xxx.xxx
access-list dmz_access_in permit icmp host 192.168.2.2 any
For testing, I am allowing icmp packets out. When I do a debug icmp trace, i see the packets coming in, but not going out.
That access list should allow you to ping that one computer and it's reply should be allowed to the PIX. What type of ICMP responce are you getting when you ping?
Quick question, what is the actual command you are using to ping the device? Remember you have to enter the interface in the ping command that you are pinging out of.
yes when i type ping dmz 192.168.2.2 i get no response on the pix box.
when i go to the server, i can't even ping 192.168.2.1.
i did confirm that i have the hub plugged ito the correct interface.