cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1169
Views
0
Helpful
8
Replies

Strange problem

johan.blom
Level 1
Level 1

I got one interface with lower security and I have permited it to access and interface with highersecurity

When I from the lower interface tries to access the higher one it works to somehosts all the time but some not. To make it work you can send an ping to one host wich are connected to the interface with lower security from the one with higher security and it works for an while!

Anyone have an idea what the problem is?

8 Replies 8

rgrcommo
Level 1
Level 1

Do you have a static going from the higher to the lower. Do you have a conduit or access-list so the lwr interface can access the higher interface?

No static.

I use an access-list wich allow the network to access the higher interface

Have you tried:

PIX# debug icmp trace

PIX# debug packet "interface" src "ip" dst "ip"

..and see what you get there. Mke sure the packets are even getting to the right interface. They should always get there, not just sometimes.. With these debug cmds. you will be able to see that.

Yep it reaches the interface with highersecurity. But it does not go through. Except if you "open" the connection from the higher interface.

Btw version is 6.2(1)

wongsusanto
Level 1
Level 1

hi jhon,

i ever encountered this problem....because i am using the public the public ip address for the inside network....and then i didn't use the static translation. so what happened then...sometimes the outside network can not ping the inside servers..so i have to generate a traffic from inside to outside on the servers....then it's reachable from outside...why was it reachable from outside ? it think because there is an active connection for sometime then after the connection was timeout...so to solve this problem it did a static translation using the same ip address say static (inside, outside) 1.1.1.1 1.1.1.1

if i am mistaken...then the problem is solved...perhaps you can try the same way...

hope it helps

regards

Sadly it did not work :(

I have written an example below which may be of help to you .............

If you use private addressing on your LAN, and you want to permit access from a lower security interface to a higher security interface, for example the DMZ, you need to have a static entry like this one:

static (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

In addition, you will need to add a rule on the DMZ access list permitting icmp echo through to the internal LAN, for example:

access-list DMZ permit icmp host X.X.X.X host X.X.X.X echo

Also, I think you need to add a rule on the internal LAN access list to permit echo-reply, for example:

access-list inside permit icmp host X.X.X.X host X.X.X.X echo-reply

I hope this helps.

Regards,

Charles

It works thanks! I had added an static on the external hosts because someone suggested that.

It is strange though that it works if you "open" the connection from the higher sercurity interface! Maybe this is an bug?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: