topic Re: PIX Firewall Problem in Network Security

PIX Firewall Problem

wasiimcisco — Mon, 11 Mar 2019 12:14:59 GMT

I am again having strange problem. I have two servers in dmz. I want one server to go to internet and also communicate with one of the server located on outside with local ip address 172.28.92.72

My ASDM is showing me packet tracer successfuly without any problem. But when i try to ping from server on dmz to server located on outside i got the following error

Destination net unreachable.

I configured the same setting as for the server 2 with ip addresss 172.28.92.68.

But i want 172.28.92.72 to have static for internet but to communicate with outside server use same ip 172.28.92.72

access-list outside_acl extended permit ip host x.74.112.153 host 172.28.92.72

access-list nonat extended permit ip host 172.28.92.72 host x.74.112.153

static (edn,outside) x.223.188.39 172.28.92.72 netmask 255.255.255.255

telnet 172.28.92.72 255.255.255.255 edn

TDC-INT-525-01# sh run | in 172.28.92.68

access-list outside_acl extended permit ip x.223.188.0 255.255.255.0 host 172.28.92.68

access-list outside_acl extended permit ip host x.74.112.153 host 172.28.92.68

access-list nonat extended permit ip host 172.28.92.68 x.223.188.0 255.255.255.0

access-list nonat extended permit ip host 172.28.92.68 host x.74.112.153

nat (inside) 0 access-list nonat

nat (edn) 0 access-list nonat

please help me out

Re: PIX Firewall Problem

sundar.palaniappan — Mon, 10 Mar 2008 23:05:32 GMT

Have you checked whether the server on the outside knows how to route traffic back to 172.28.92.72? If it does can you look at the packet trace on the outside interface to see if you see response from the Server on the outside coming in?

Re: PIX Firewall Problem

wasiimcisco — Mon, 10 Mar 2008 23:10:15 GMT

yes outside server has the route towards it. I am also getting hitcount on my outside firewall access-list.

see the snapshot of pkt tracer from outside interface to dmz. it is successful.

Re: PIX Firewall Problem

sundar.palaniappan — Mon, 10 Mar 2008 23:48:01 GMT

Interesting. Have you tried removing the static and check whether that made any difference. If not can you do a sniffer capture on the DMZ?

Re: PIX Firewall Problem

wasiimcisco — Tue, 11 Mar 2008 00:16:51 GMT

if i removed the static it works as it is working with 172.28.92.68. But my requirement is to use static to use Internet.

right now i have removed teh nonat for 172.28.92.72 and using only static for Internet and outside server is accessing it via static ip addresses.

but dont know what is wrong with the static and nonat.

packet tracer is showing full success but when try to trace and ping

destination network unreachable.

Only nonat is working or either static is working not both at the same time.

Re: PIX Firewall Problem

sundar.palaniappan — Tue, 11 Mar 2008 00:50:42 GMT

Glad it works!!

Can you do the static at port level for Internet access and that may be a workaround for you to get both working.

Moreover, can you use a different name for no-nat access list and that should be different from no-nat access list name for the inside interface. It really shouldn't matter but with all the caveats it's worth a try.

HTH

Sundar