https://community.cisco.com/t5/network-security/connectivity-issue-pix/m-p/2471239#M268513 <HTML><HEAD></HEAD><BODY><P>Hi Jon,</P><P></P><P>The security level are:</P><P></P><P></P><P></P><P style="margin-bottom: 0.35cm;">nameif ethernet1 inside security100</P><P style="margin-bottom: 0.35cm;">nameif ethernet2 dmz1 security80</P><P style="margin-bottom: 0.35cm;">nameif ethernet3 dmz2 security70</P><P style="margin-bottom: 0.35cm;">It's weird because if I run icmp echo from 192.168.1.0 to 192.168.2.0, later I can run icmp echo request from 192.168.2.0 to 192.168.1.0. It seems something of ARP.</P><P></P><P style="margin-bottom: 0.35cm;">What about this? Should do I remove this lines?</P><P style="margin-bottom: 0.35cm;">sysopt noproxyarp inside</P><P style="margin-bottom: 0.35cm;">sysopt noproxyarp dmz1</P><P style="margin-bottom: 0.35cm;">sysopt noproxyarp dmz2</P><P></P><P>Thanks a lot, best regards.</P></BODY></HTML> Thu, 06 Mar 2014 20:01:03 GMT CSCO11983020 2014-03-06T20:01:03Z https://community.cisco.com/t5/network-security/connectivity-issue-pix/m-p/2471235#M268505 <P>Hello,</P><P></P><P>I have a PIX firewall with inside, outside, dmz1 and dmz2 interface.</P><P></P><P></P><P style="margin-bottom: 0.35cm;">nameif ethernet0 outside security0</P><P style="margin-bottom: 0.35cm;">nameif ethernet1 inside security100</P><P style="margin-bottom: 0.35cm;">nameif ethernet2 dmz1 security80</P><P style="margin-bottom: 0.35cm;">nameif ethernet3 dmz2 security70</P><P></P><P>I can run icmp echo request from inside to dmz1 and dmz2 well. However, I can't run icmp echo request from dmz1 to dmz2, but if I run icmp echo request from dmz2 to dmz1, later I can run icmp echo request from dmz1 to dmz2.</P><P></P><P>It seems an issue with ARP but I don't know, what can be happening?</P><P></P><P>Thanks, best regards.</P> Tue, 12 Mar 2019 03:54:24 GMT https://community.cisco.com/t5/network-security/connectivity-issue-pix/m-p/2471235#M268505 CSCO11983020 2019-03-12T03:54:24Z https://community.cisco.com/t5/network-security/connectivity-issue-pix/m-p/2471236#M268507 <HTML><HEAD></HEAD><BODY><P>It's sounds like a static NAT issue. Can you post your config ? </P><P></P><P>Jon</P></BODY></HTML> Thu, 06 Mar 2014 11:48:20 GMT https://community.cisco.com/t5/network-security/connectivity-issue-pix/m-p/2471236#M268507 Jon Marshall 2014-03-06T11:48:20Z https://community.cisco.com/t5/network-security/connectivity-issue-pix/m-p/2471237#M268509 <HTML><HEAD></HEAD><BODY><P>Hello Jon,</P><P></P><P style="margin-bottom: 0.35cm;">The config is the next:</P><P></P><P style="margin-bottom: 0.35cm;">nat (inside) 0 192.168.0.0 255.255.0.0 0 0</P><P style="margin-bottom: 0.35cm;">nat (dmz1) 0 192.168.1.0 255.255.255.0 0 0</P><P style="margin-bottom: 0.35cm;">nat (dmz2) 0 192.168.2.0 255.255.255.0 0 0</P><P>static (inside,dmz2) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0</P><P></P><P></P><P>static (dmz1,dmz2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0</P><P></P><P></P><P style="margin-bottom: 0.35cm;">access-list dmz1 permit tcp any any</P><P style="margin-bottom: 0.35cm;">access-list dmz1 permit udp any any</P><P style="margin-bottom: 0.35cm;">access-list dmz2 permit icmp any any</P><P style="margin-bottom: 0.35cm;">access-list dmz2 permit tcp any any</P><P style="margin-bottom: 0.35cm;">access-list dmz2 permit udp any any</P><P></P><P> I don't know what's happening but I can't run icmp echo request from 192.168.2.0 to 192.168.1.0. Do I have to configure something else?</P><P></P><P></P><P></P><P></P><P></P><P></P><DIV class="mcePaste" id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow: hidden;"> </DIV></BODY></HTML> Thu, 06 Mar 2014 19:15:53 GMT https://community.cisco.com/t5/network-security/connectivity-issue-pix/m-p/2471237#M268509 CSCO11983020 2014-03-06T19:15:53Z https://community.cisco.com/t5/network-security/connectivity-issue-pix/m-p/2471238#M268510 <HTML><HEAD></HEAD><BODY><P>What security levels are dmz1 and dmz2 ? </P><P></P><P>Jon</P></BODY></HTML> Thu, 06 Mar 2014 19:38:31 GMT https://community.cisco.com/t5/network-security/connectivity-issue-pix/m-p/2471238#M268510 Jon Marshall 2014-03-06T19:38:31Z https://community.cisco.com/t5/network-security/connectivity-issue-pix/m-p/2471239#M268513 <HTML><HEAD></HEAD><BODY><P>Hi Jon,</P><P></P><P>The security level are:</P><P></P><P></P><P></P><P style="margin-bottom: 0.35cm;">nameif ethernet1 inside security100</P><P style="margin-bottom: 0.35cm;">nameif ethernet2 dmz1 security80</P><P style="margin-bottom: 0.35cm;">nameif ethernet3 dmz2 security70</P><P style="margin-bottom: 0.35cm;">It's weird because if I run icmp echo from 192.168.1.0 to 192.168.2.0, later I can run icmp echo request from 192.168.2.0 to 192.168.1.0. It seems something of ARP.</P><P></P><P style="margin-bottom: 0.35cm;">What about this? Should do I remove this lines?</P><P style="margin-bottom: 0.35cm;">sysopt noproxyarp inside</P><P style="margin-bottom: 0.35cm;">sysopt noproxyarp dmz1</P><P style="margin-bottom: 0.35cm;">sysopt noproxyarp dmz2</P><P></P><P>Thanks a lot, best regards.</P></BODY></HTML> Thu, 06 Mar 2014 20:01:03 GMT https://community.cisco.com/t5/network-security/connectivity-issue-pix/m-p/2471239#M268513 CSCO11983020 2014-03-06T20:01:03Z https://community.cisco.com/t5/network-security/connectivity-issue-pix/m-p/2471240#M268514 <HTML><HEAD></HEAD><BODY><P style="margin-bottom: 0.35cm;">Can you try enabling proxyarp on the dmz2 interface and retest.</P><P style="margin-bottom: 0.35cm;">Before you do the above can you clear the arp table and the xlate table (assuming this is not an active production firewall with active connections).</P><P style="margin-bottom: 0.35cm;">If this doesn't work then please post the full configuration.</P><P style="margin-bottom: 0.35cm;">Jon</P></BODY></HTML> Thu, 06 Mar 2014 20:09:01 GMT https://community.cisco.com/t5/network-security/connectivity-issue-pix/m-p/2471240#M268514 Jon Marshall 2014-03-06T20:09:01Z https://community.cisco.com/t5/network-security/connectivity-issue-pix/m-p/2471241#M268516 <P>Hello Jon,</P><P>&nbsp;</P><P>Thank you very much, it was a static NAT issue.</P><P>&nbsp;</P><P>Thanks, best regards.</P> Thu, 13 Mar 2014 10:58:21 GMT https://community.cisco.com/t5/network-security/connectivity-issue-pix/m-p/2471241#M268516 CSCO11983020 2014-03-13T10:58:21Z