topic pix 525.cannot ping from host on dmz int to host on inside int in Network Security

pix 525.cannot ping from host on dmz int to host on inside int

achapochnikov — Fri, 21 Feb 2020 05:47:58 GMT

hi, my name is anton.i cannot ping my inside interface hosts from hosts on dmz,also cannot get thru from hosts on inside interface to hosts on dmz.

i am testing the pix so i have all access-list set to ''permit ip any any'' .i have default route pointed io outside router,nat command:

nat (inside) 1 00

i have global statement for outside int and dmz

static routes to dmz and inside

what am i doing wrong?

Re: pix 525.cannot ping from host on dmz int to host on inside i

achapochnikov — Wed, 30 May 2001 20:56:08 GMT

hi, my name is anton.i cannot ping my inside interface hosts from hosts on dmz,also cannot get thru from hosts on inside interface to hosts on dmz.

i am testing the pix so i have all access-list set to ''permit ip any any'' .i have default route pointed io outside router,nat command:

nat (inside) 1 00

i have global statement for outside int and dmz

static routes to dmz and inside

what am i doing wrong?

Re: pix 525.cannot ping from host on dmz int to host on inside i

thomas.waddell — Thu, 31 May 2001 14:37:35 GMT

Hi Anton,

From what you've described, if you change your nat (inside) 1 0 0 to nat (inside) 0 0 0 then your inside hosts will be able to pint the DMZ hosts. However you will need to add a static command for each host on the inside network that you want your DMZ hosts to be able to reach.

Something to keep in mind, when going from a higher level security interface (i.e. inside) to a lower level security interface (i.e. dmz) you need a nat statement that matches the inside hosts on the inside interface and a Global statement on the DMZ interface.

For example:

nat (inside) 1 0 0 <--- applies to any inside host

global (DMZ) 1 10.2.2.105-10.2.2.254 netmask 255.255.255.0

An exception is the special NAT Zero or NAT 0, where IP's won't be NATed (as I suggested above to help you make progress quickly). With NAT 0, you don't need the global command.

Now, when going in the other direction you need to use the static command and an access-list. You say you've already got the access-list, now add the statics.

Without going into too much detail, I suggest you start with the following link. It should give you everything you need to get up and running.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/config.htm

I suggest erasing whatever configuration you currently have and starting over following the above link. You'll end up with a more secure configuration, even if you are new to the PIX.

Regards,

Thomas

Re: pix 525.cannot ping from host on dmz int to host on inside i

achapochnikov — Thu, 31 May 2001 15:06:29 GMT

hi Thomas!

thank you very much for your response it really helped i did have right nat command and global,but i did not have right static command to map hosts on inside interface to hosts on dmz.Now it is working.

once again thanks a lot