https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629400#M1028887 <P>Added 4 port ethernet on a Pix 515e, ver: 6.3</P><P>So I have the following: </P><P>ip address outside 63.209.xxx.xx 255.255.255.192</P><P>ip address inside 172.16.x.x 255.255.255.0</P><P>ip address dmz 192.168.121.4 255.255.255.0</P><P>From a web server on the dmz interface I'm unable to ping inside hosts. Although from inside I can ping the dmz web server. Show icmp:</P><P>icmp permit any outside</P><P>icmp permit any inside</P><P>icmp permit any echo dmz</P><P>What am I missing. Thanks. </P><P> </P> Mon, 11 Mar 2019 09:19:47 GMT dhengste7 2019-03-11T09:19:47Z https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629400#M1028887 <P>Added 4 port ethernet on a Pix 515e, ver: 6.3</P><P>So I have the following: </P><P>ip address outside 63.209.xxx.xx 255.255.255.192</P><P>ip address inside 172.16.x.x 255.255.255.0</P><P>ip address dmz 192.168.121.4 255.255.255.0</P><P>From a web server on the dmz interface I'm unable to ping inside hosts. Although from inside I can ping the dmz web server. Show icmp:</P><P>icmp permit any outside</P><P>icmp permit any inside</P><P>icmp permit any echo dmz</P><P>What am I missing. Thanks. </P><P> </P> Mon, 11 Mar 2019 09:19:47 GMT https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629400#M1028887 dhengste7 2019-03-11T09:19:47Z https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629401#M1028888 <HTML><HEAD></HEAD><BODY><P>To go from a lower security interface to a higher one, you need NAT translations. For example </P><P>static (inside,dmz) 172.16.x.x 172.16.x.x netmask 255.255.255.0</P><P></P><P>You will also need an ACL.</P><P></P><P>access-list dmz_access permit icmp any any</P><P>access-group dmz_access in interface dmz</P><P></P><P>This example is NOT secure-- only allow access to what is needed.</P><P></P><P>HTH and please rate.</P></BODY></HTML> Mon, 15 Jan 2007 22:12:13 GMT https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629401#M1028888 Collin Clark 2007-01-15T22:12:13Z https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629402#M1028889 <HTML><HEAD></HEAD><BODY><P>Here's what I have in place: </P><P></P><P>static (inside,dmz) 172.0.0.0 172.0.0.0 netmask 255.255.255.0 0 0</P><P>access-group dmz_access_in in interface dmz</P><P>access-list dmz_access_in line 1 permit icmp any any (hitcnt=845)</P><P>access-list dmz_access_in line 2 permit tcp host 192.168.121.34 host 172.16.x.x eq 1433 (hitcnt=0)</P><P>Goal is to be able to communicate with a sql server on the inside. </P></BODY></HTML> Tue, 16 Jan 2007 16:54:23 GMT https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629402#M1028889 dhengste7 2007-01-16T16:54:23Z https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629403#M1028890 <HTML><HEAD></HEAD><BODY><P>Did you want to put 172.0.0.0/24 in your static (inside,dmz)?</P><P></P><P>Do you have a 172.0.0.0/24 network inside?</P><P>If not, it should be</P><P>static (inside,dmz) 172.0.0.0 172.0.0.0 netmask 255.0.0.0 </P><P></P><P>or</P><P></P><P>static (inside,dmz) 172.16.x.0 172.16.x.0 netmask 255.255.255.0</P></BODY></HTML> Tue, 16 Jan 2007 16:57:59 GMT https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629403#M1028890 acomiskey 2007-01-16T16:57:59Z https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629404#M1028891 <HTML><HEAD></HEAD><BODY><P>Yes I have a 172.0.0.0/24 on the inside interface. </P><P>My issue is unable to communicate with the inside from the dmz web server. With what I posted above how would I proceed? thanks. </P></BODY></HTML> Tue, 16 Jan 2007 19:19:41 GMT https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629404#M1028891 dhengste7 2007-01-16T19:19:41Z https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629405#M1028892 <HTML><HEAD></HEAD><BODY><P>But the host on the inside you want to hit on 1433 is not part of 172.0.0.0/24.</P><P></P><P>You need to add another static (inside,dmz) for the 172.16.x.0 network.</P></BODY></HTML> Tue, 16 Jan 2007 20:26:24 GMT https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629405#M1028892 acomiskey 2007-01-16T20:26:24Z https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629406#M1028893 <HTML><HEAD></HEAD><BODY><P>I have: </P><P>static (inside,dmz) tcp interface 1433 172.16.3.3 1433 netmask 255.255.255.255 0 0</P><P></P><P>Still having a problem connecting to a sql server on the inside. </P></BODY></HTML> Wed, 24 Jan 2007 21:22:25 GMT https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629406#M1028893 dhengste7 2007-01-24T21:22:25Z https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629407#M1028894 <HTML><HEAD></HEAD><BODY><P>Have you tried the suggested above? I don't think you want what you just posted.</P><P></P><P>If you can watch the logs you are probably getting "No translation group found". If 172.16.3.3 is you sql server, then add</P><P></P><P>static (inside,dmz) 172.16.3.3 172.16.3.3 netmask 255.255.255.255</P><P></P><P>Post a sanitized config if you can.</P></BODY></HTML> Wed, 24 Jan 2007 21:45:56 GMT https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629407#M1028894 acomiskey 2007-01-24T21:45:56Z https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629408#M1028895 <HTML><HEAD></HEAD><BODY><P>Watching the log, but not getting the "no translation error". Attached is the config. </P><P></P><P> </P><P></P></BODY></HTML> Thu, 25 Jan 2007 18:52:13 GMT https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629408#M1028895 dhengste7 2007-01-25T18:52:13Z https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629409#M1028896 <HTML><HEAD></HEAD><BODY><P>Try this.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/warp/public/110/mailserver.html" target="_blank">http://www.cisco.com/warp/public/110/mailserver.html</A></P><P></P><P>Pay close attention to the following line</P><P></P><P>static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0 </P><P></P><P>You will need one except yours would be </P><P></P><P>static (inside,dmz) 172.16.3.0 172.16.3.0 netmask 255.255.255.0 0 0</P><P></P><P>This will allow anything on 172.16.3.0/24 network to communicate with dmz server and vice versa.</P><P></P><P></P><P>I also don't know what this line is supposed to do static (inside,dmz) tcp interface 1433 172.16.3.3 1433 netmask 255.255.255.255 0 0.</P><P></P><P>You may have to "clear xlate" after the command is added. Just be aware of that. Also make sure your sql is running on 1433.</P><P></P><P>Someone correct me if I'm wrong here.</P></BODY></HTML> Thu, 25 Jan 2007 19:39:48 GMT https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629409#M1028896 acomiskey 2007-01-25T19:39:48Z https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629410#M1028897 <HTML><HEAD></HEAD><BODY><P>I removed: </P><P>static (inside,dmz) 172.16.3.3 172.16.3.3 netmask 255.255.255.0 0 0 </P><P>Added:</P><P>static (inside,dmz) 172.16.3.0 172.16.3.0 netmask 255.255.255.0 0 0 </P><P>Right now would be happy just to ping from inside to dmz. Have the acl: </P><P>access-list dmz_access permit icmp any any </P></BODY></HTML> Tue, 20 Feb 2007 19:38:23 GMT https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629410#M1028897 dhengste7 2007-02-20T19:38:23Z https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629411#M1028898 <HTML><HEAD></HEAD><BODY><P>As long as you are coming from inside 172.16.3.x you should be fine. Did you apply that acl with access-group dmz_access in interface dmz?</P></BODY></HTML> Tue, 20 Feb 2007 19:53:46 GMT https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629411#M1028898 acomiskey 2007-02-20T19:53:46Z https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629412#M1028899 <HTML><HEAD></HEAD><BODY><P>Yes, coming from 172.16.3.x and have the acl:</P><P>access-group dmz_access in interface dmz </P></BODY></HTML> Tue, 20 Feb 2007 19:57:32 GMT https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629412#M1028899 dhengste7 2007-02-20T19:57:32Z https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629413#M1028900 <HTML><HEAD></HEAD><BODY><P>Did you get rid of this line </P><P></P><P>static (inside,dmz) tcp interface 1433 172.16.3.3 1433 netmask 255.255.255.255</P><P></P><P>Might as well post current config and start logging.</P></BODY></HTML> Tue, 20 Feb 2007 20:04:34 GMT https://community.cisco.com/t5/network-security/dmz-to-inside/m-p/629413#M1028900 acomiskey 2007-02-20T20:04:34Z