https://community.cisco.com/t5/network-security/connectivity-through-an-internal-pix/m-p/430291#M531642 <HTML><HEAD></HEAD><BODY><P>static command is missing.</P><P></P><P>static (inside,outside) <DATABASE server="" private="" ip=""> <DATABASE server="" private="" ip=""> netmask 255.255.255.255</DATABASE></DATABASE></P><P>clear xlate</P><P></P><P>then, for the webserver accessing/pinging the database server, you just need to point to the private ip.</P><P></P><P>nat 0 may not work with inbound traffic as the pix treats it more like a one way translation; whereas static is a two-way thing.</P><P></P><P>in case you don't want to nat at all, then instead of the static above, you can:</P><P>static (inside,outside) <PIX inside="" subnet=""> <PIX inside="" subnet=""> netmask <PIX inside="" subnet="" mask=""></PIX></PIX></PIX></P></BODY></HTML> Thu, 20 Oct 2005 01:04:21 GMT jackko 2005-10-20T01:04:21Z https://community.cisco.com/t5/network-security/connectivity-through-an-internal-pix/m-p/430290#M531641 <P>Hi,</P><P></P><P>When I try to ping a database server from a web server through an internal Pix 506e I get &#145;Deny icmp src outside:WebtoPixDMZ dest inside :Database by access group &#147;acl_sql&#148;</P><P>The web server is connected to the outside interface of the Pix while the Database server is connected to the inside interface of the Pix</P><P>I can ping from the database to the Web server.</P><P></P><P>Here is the Pix Config</P><P></P><P>hostname xxxx</P><P>names</P><P>name 192.168.7.1 WebtoPixDMZ</P><P>name 192.168.7.2 PixDMZtoWeb</P><P>name 192.168.8.1 PixDMZtoSrvrp</P><P>name 192.168.8.2 Database</P><P>access-list acl_sql permit icmp any any echo-reply </P><P>access-list acl_sql permit icmp any any time-exceeded </P><P>access-list acl_sql permit icmp any any unreachable </P><P>access-list acl_sql permit tcp any any eq 1433 </P><P>icmp permit any outside</P><P>icmp permit any inside</P><P>nat (inside) 0 0.0.0.0 0.0.0.0 0 0</P><P>access-group acl_sql in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 PixDMZtoWeb</P><P>route outside 192.168.6.0 255.255.255.0 192.168.7.1 1</P><P></P><P>sh route</P><P></P><P> outside 0.0.0.0 0.0.0.0 PixDMZtoweb 1 OTHER static</P><P></P><P> outside 192.168.6.0 255.255.255.0 192.168.7.1 1 OTHER static</P><P></P><P> outside 192.168.7.0 255.255.255.0 PixDMZtoweb 1 CONNECT static</P><P></P><P> inside 192.168.8.0 255.255.255.0 PixDMZtoSrvrp 1 CONNECT static</P><P></P><P>Any ideas where I am going wrong?</P><P></P><P>thanks</P><P></P> Fri, 21 Feb 2020 08:28:35 GMT https://community.cisco.com/t5/network-security/connectivity-through-an-internal-pix/m-p/430290#M531641 brianmcatamney 2020-02-21T08:28:35Z https://community.cisco.com/t5/network-security/connectivity-through-an-internal-pix/m-p/430291#M531642 <HTML><HEAD></HEAD><BODY><P>static command is missing.</P><P></P><P>static (inside,outside) <DATABASE server="" private="" ip=""> <DATABASE server="" private="" ip=""> netmask 255.255.255.255</DATABASE></DATABASE></P><P>clear xlate</P><P></P><P>then, for the webserver accessing/pinging the database server, you just need to point to the private ip.</P><P></P><P>nat 0 may not work with inbound traffic as the pix treats it more like a one way translation; whereas static is a two-way thing.</P><P></P><P>in case you don't want to nat at all, then instead of the static above, you can:</P><P>static (inside,outside) <PIX inside="" subnet=""> <PIX inside="" subnet=""> netmask <PIX inside="" subnet="" mask=""></PIX></PIX></PIX></P></BODY></HTML> Thu, 20 Oct 2005 01:04:21 GMT https://community.cisco.com/t5/network-security/connectivity-through-an-internal-pix/m-p/430291#M531642 jackko 2005-10-20T01:04:21Z https://community.cisco.com/t5/network-security/connectivity-through-an-internal-pix/m-p/430292#M531643 <HTML><HEAD></HEAD><BODY><P>Thanks Jacko, once again.</P></BODY></HTML> Thu, 20 Oct 2005 18:31:50 GMT https://community.cisco.com/t5/network-security/connectivity-through-an-internal-pix/m-p/430292#M531643 brianmcatamney 2005-10-20T18:31:50Z