Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

There is not ping from inside to dmz zone on PIX515

I have got PIX 515.

ip address outside 1.1.1.130 255.255.255.128

ip address inside 172.16.8.5 255.255.255.128

ip address dmz 1.1.1.1 255.255.255.128

I have host at inside:

172.16.8.1 255.255.255.128 gateway 172.16.8.5

I have host at dmz 1.1.1.2 gateway 1.1.1.1

Why I can not ping from inside 172.16.8.1 to dmz 1.1.1.2,

but I can ping 172.16.8.5 from inside 172.16.8.1

and I can ping 1.1.1.1 from dmz 1.1.1.2 ?

And why I can not ping outside 1.1.1.129 (directly connect to outside 1.1.1.130 of PIX)

from dmz zone 1.1.1.2 ?

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security4

enable password cisco

passwd cisco

hostname pix515

domain-name prbb.ru

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_access_in permit ip any 1.1.1.0 255.255.255.0

access-list dmz_access_in permit ip any any

access-list inside_access_in permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 1.1.1.130 255.255.255.128

ip address inside 172.16.8.5 255.255.255.128

ip address dmz 1.1.1.1 255.255.255.128

ip audit info action alarm

ip audit attack action alarm

pdm location 172.16.8.1 255.255.255.255 inside

pdm location 172.16.8.0 255.255.255.0 inside

pdm location 172.16.0.8 255.255.255.255 inside

pdm location 1.1.1.2 255.255.255.255 dmz

pdm history enable

arp timeout 14400

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 1.1.1.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 172.16.8.1 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

username cisco password cisco privilege 15

terminal width 80

4 REPLIES
Silver

Re: There is not ping from inside to dmz zone on PIX515

Nat is neither on or off. This is sort of like having your car in neutral. You need to do somthing like:

nat (inside) 0 0.0.0.0 0.0.0.0

nat (dmz) 0 0.0.0.0 0.0.0.0

nat (outside) 0 0.0.0.0 0.0.0.0

HTH pls rate!

Silver

Re: There is not ping from inside to dmz zone on PIX515

*** PLEASE RATE IF THIS HELPS*****

1. To be able to ping from inside to dmz you need to add a nat and global plus an acl on the dmz..

EX. nat (inside) 1 172.16.8.0 255.255.255.128

global (dmz) 1 1.1.1.0 255.255.255.128

access-list dmz_access_in extended permit icmp any any echo-reply

2.You can ping local addresses on the dmz or inside because they NEVER hit the firewall.

3. The problem with pinging the outside from the dmz is the same as inside to dmz here is the config for that..

EX.

nat (inside) 1 172.16.8.0 255.255.255.128 (don't need if you input it in step #1)

global (outside) 1 1.1.1.128 255.255.255.128

access-list outside_access_in extended permit icmp any any echo-reply

access-list dmz_access_in extended permit icmp any any echo

*** PLEASE RATE IF THIS HELPS*****

New Member

Re: There is not ping from inside to dmz zone on PIX515

You have contradictory rules set. The security on the Inside interface is set to protect the Inside interface but the other two have different security levels. You have two methods to deal with the problem.

1. Set the security levels on all interfaces to 100. This would solve the issue indicated above or

2. Enable NAT, specify a static route from the outside to the inside addresses you want them to have access to and then enable the appropriate firewall rules.

As of now, your Security levels are set to STOP any direct rules from the outside to the inside.

Re: There is not ping from inside to dmz zone on PIX515

1.) Note: ICMP is not a stateful protocol. You need to configure an access-list that permits the icmp protocol. See guides bellow.

2.) The security levels are fine, this is the standard setup. Do not change it to equal levels.

inside = 100

outside = 0

dmz = 1-99

3.) Problem with access from the dmz to the outside as it is also for inside you need a

valid NAT statement or a static.

global (outside) 2 x.x.x.2

global (outside) 1 x.x.x.3

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 2 1.1.1.0 255.255.255.128 0 0

This might not be a really good example.

Reference Guides:

The PIX and the traceroute Command:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

Handling ICMP Pings with the PIX Firewall:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

This post will probably not cover all your question but it might be a good start point.

sincerely

Patrick

242
Views
0
Helpful
4
Replies
CreatePlease to create content