Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Strange problem

I got one interface with lower security and I have permited it to access and interface with highersecurity

When I from the lower interface tries to access the higher one it works to somehosts all the time but some not. To make it work you can send an ping to one host wich are connected to the interface with lower security from the one with higher security and it works for an while!

Anyone have an idea what the problem is?

8 REPLIES
New Member

Re: Strange problem

Do you have a static going from the higher to the lower. Do you have a conduit or access-list so the lwr interface can access the higher interface?

New Member

Re: Strange problem

No static.

I use an access-list wich allow the network to access the higher interface

New Member

Re: Strange problem

Have you tried:

PIX# debug icmp trace

PIX# debug packet "interface" src "ip" dst "ip"

..and see what you get there. Mke sure the packets are even getting to the right interface. They should always get there, not just sometimes.. With these debug cmds. you will be able to see that.

New Member

Re: Strange problem

Yep it reaches the interface with highersecurity. But it does not go through. Except if you "open" the connection from the higher interface.

Btw version is 6.2(1)

New Member

Re: Strange problem

hi jhon,

i ever encountered this problem....because i am using the public the public ip address for the inside network....and then i didn't use the static translation. so what happened then...sometimes the outside network can not ping the inside servers..so i have to generate a traffic from inside to outside on the servers....then it's reachable from outside...why was it reachable from outside ? it think because there is an active connection for sometime then after the connection was timeout...so to solve this problem it did a static translation using the same ip address say static (inside, outside) 1.1.1.1 1.1.1.1

if i am mistaken...then the problem is solved...perhaps you can try the same way...

hope it helps

regards

New Member

Re: Strange problem

Sadly it did not work :(

New Member

Re: Strange problem

I have written an example below which may be of help to you .............

If you use private addressing on your LAN, and you want to permit access from a lower security interface to a higher security interface, for example the DMZ, you need to have a static entry like this one:

static (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

In addition, you will need to add a rule on the DMZ access list permitting icmp echo through to the internal LAN, for example:

access-list DMZ permit icmp host X.X.X.X host X.X.X.X echo

Also, I think you need to add a rule on the internal LAN access list to permit echo-reply, for example:

access-list inside permit icmp host X.X.X.X host X.X.X.X echo-reply

I hope this helps.

Regards,

Charles

New Member

Re: Strange problem

It works thanks! I had added an static on the external hosts because someone suggested that.

It is strange though that it works if you "open" the connection from the higher sercurity interface! Maybe this is an bug?

104
Views
0
Helpful
8
Replies
CreatePlease to create content