*note I will assign points when this get resolved*
I have a Pix 515 running 6.3.3 with a few interfaces. Once interface is set with a security level of 20 and the other has a security level of 100. Logic states that those on the 100 security interface should be able to access the web servers on the 20 security level interface however they can not. I have created access lists and allowed specific IP's to have access to static IP addresses and a variety of other techniques that "should" work.
workstation IP 192.168.10.2 on interface 1, with a security level of 100 should be able to access 10.10.50.7 on interface 4 with a security level of 20. Quite stumped as the config should work. Any ideas?
it depends - if you have an access-list bound on the higher level security interface, that could prohibit said communication to the lower security interface's host. misconfigured nat/static statements could do the same
1. Make sure that the pix interface where the web servers are is the default route for the web servers to allow the return traffic to flow back thru the pix.
2. If you are using nat and global, or a static for the inside worksstations, and the global address is on the same subnet as the pix interface that as sec level of 20 (i,e, global (dmz_intf) 20 10.10.50.177) make sure that the sysopt proxyarp setting is configured for the dmz/web-server interface. if it is not, the pix will not respond to the arp request that the web server generates. I have come across systems that ignore the mac address in the request packet and will issue a arp before sending the reply even though it should have done the correlation.
Can you post how the nat/global and/or static is configured?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...