07-26-2010 07:50 AM - edited 03-11-2019 11:16 AM
Hi,
I’m trying to configure a basic PIX firewall configuration with No NAT. The problems are:
I can not ping from the inside network: 192.168.1.0/24 to the outside interface: 10.10.10.10 or the device on the outside network 10.10.10.0/24
I can not ping from the dmz network: 10.1.1.0/24 to the outside interface: 10.10.10.10 or the device on the outside network 10.10.10.0/24
The dmz network and inside network can ping each other just fine. Connections between dmz and inside work.
Please help me figure out what is wrong with my configuration. It looks like I can’t make a connection from higher security to lower security interface. I thought that by default the connections from inside to outside and dmz to outside are permitted.
Thanks,
Vu
Below is my sample:
Cisco PIX version 6.3(4)
nameif ethernet0 outside security0
nameif ehternet1 inside security100
nameif ethernet2 dmz security10
ip address outside 10.10.10.10 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 10.1.1.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 10.10.10.20
access-list NO_NAT permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list NO_NAT permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list NO_NAT_DMZ permit ip 10.1.1.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list NO_NAT
nat (dmz) 0 access-list NO_NAT_DMZ
access-list DMZ permit ip host 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list DMZ permit tcp any host 10.1.1.10 eq domain
access-list DMZ permit tcp any host 10.1.1.20 eq www
access-list OUTSIDE permit icmp any any
access-list OUTSIDE permit tcp any host 192.168.1.20 eq smtp
access-list OUTSIDE permit tcp any host 192.168.1.30 eq www
access-list OUTSIDE permit tcp any host 192.168.1.40 eq 3389
access-group DMZ in interface dmz
access-group OUTSIDE in interface outside
Solved! Go to Solution.
07-26-2010 08:01 AM
First off, you shouldn't be able to ping 10.10.10.10 from the inside as it belongs to another interface on the ASA, and the way that the ASA works doesn't allow pings to any interface you are not behind.
So lets go ahead and start off with some captures.
access-list capture permit icmp any host <10.10.10.X>
access-list capture permit icmp host <10.10.10.X> any
capture capout access-list capture interface outside
capture capin access-list capture interface inside
Then get the contents of
show run access-list capture
show cap capin
show cap capout
07-26-2010 08:01 AM
First off, you shouldn't be able to ping 10.10.10.10 from the inside as it belongs to another interface on the ASA, and the way that the ASA works doesn't allow pings to any interface you are not behind.
So lets go ahead and start off with some captures.
access-list capture permit icmp any host <10.10.10.X>
access-list capture permit icmp host <10.10.10.X> any
capture capout access-list capture interface outside
capture capin access-list capture interface inside
Then get the contents of
show run access-list capture
show cap capin
show cap capout
07-29-2010 08:25 AM
Hi August,
Thanks for the advice. I got it.
Vu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide