Solved: Re: Cannot Ping Servers in DMZ from Outside and - Page 2

thebrom · ‎03-08-2007

Ok a few issues here.

I just installed a PIX515 replacing my 506. I have 3 interfaces now:

Inside 10.0.10.0/24

DMZ 10.0.20.0/24

Outside 64.69.117.0

I have attached my configuration, but here's my dilemna.

I have mapped a test box on the DMZ, and it's IP is 10.0.20.10, it's outside address is 64.69.117.29.

When I ping that address from an outside client, I get this reply in my Syslog:

03-08-2007 09:15:44 Local4.Critical 10.0.10.1 Mar 08 2007 09:13:34: %PIX-2-106028: Dropping invalid echo reply from inside:10.0.20.10 to outside:69.255.109.188, source address 10.0.20.10 should not match dynamic port translation, real inside:10.0.20.10/1, mapped outside:64.69.117.62/1

Now I know it is a translation problem but I am not sure where, do I need to do a static (inside,dmz) 10.0.10.0 10.0.10.0...?

Less importantly I have another issue:

My default gateway I added a route for the DMZ network, so even with the firewall shutdown, I can ping servers on the DMZ from the inside 10.0.10.0/24 network. Does that make sense? Or should I remove that route, and force all inside PCs to go through the firewall for access to the DMZ? I only ask because it seems that with that route I am defeating the purpose of a DMZ. Please advise?

Last question, like I said I can ping 10.0.20.0/24 network from the 10.0.10.0/24 network without the firewall at all, however for some reason I cannot ping the 10.0.20.4 DMZ interface itself from the 10.0.10.0/24 network, but I can ping that interface from the 10.0.20.0/24 network? What's wrong there?

thanks in advance, Rob

vitripat · ‎03-08-2007

Well it is helpful in our scenario because there is a network loop. With the static command in, PIX will do proxy-arp for all the hosts in 10.0.10.0/24 network, and the reason why you faced issues could be explained-

When a host on 10.0.10.0/24 network is trying to communicate with some other host in same network, it would broadcast requesting for the MAC of the other host. Somehow, this broadcast reaches the DMZ interface and hence DMZ replies with its own MAC address. This inturn causes issues with your internal traffic.

The best thing would be to track down where this loop is happening and shut it down. Things will keep working fine with the sysopt command in through ;-)

Hope this explains things.

Regards,

Vibhor.

vitripat · ‎03-08-2007

Quoting -- Last question, like I said I can ping 10.0.20.0/24 network from the 10.0.10.0/24 network without the firewall at all, however for some reason I cannot ping the 10.0.20.4 DMZ interface itself from the 10.0.10.0/24 network, but I can ping that interface from the 10.0.20.0/24 network? What's wrong there?

You can ping the 10.0.20.0/24 network from 10.0.10.0/24 network due to the network loop. This is the reason you are able to ping the network even with the firewall shut down !! You are unable to ping the DMZ interface from inside network because when PIX's DMZ interface recieves the echo-request, it would be dropped because this echo-request should be coming from the inside network and not the dmz network. Here when PIX recieves the echo-request from the dmz, it will try to send the reply back via the inside interface, based on PIXs routing table. However, this ping will never work even when the network loop is removed because, on PIX firewalls, you cannot ping the farside interface in any case. Which means, from inside network, you may be able to ping the DMZ network hosts, but you wont be able to ping the DMZ interface IP. Here is a link to support the same-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#pingsown

Hope this helps. Please let me know after removing the network loop how many of your issues are resolved.

Regards,

Vibhor.