Connectivity issue PIX
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2014 12:44 AM - edited 03-11-2019 08:54 PM
Hello,
I have a PIX firewall with inside, outside, dmz1 and dmz2 interface.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security80
nameif ethernet3 dmz2 security70
I can run icmp echo request from inside to dmz1 and dmz2 well. However, I can't run icmp echo request from dmz1 to dmz2, but if I run icmp echo request from dmz2 to dmz1, later I can run icmp echo request from dmz1 to dmz2.
It seems an issue with ARP but I don't know, what can be happening?
Thanks, best regards.
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2014 03:48 AM
It's sounds like a static NAT issue. Can you post your config ?
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2014 11:15 AM
Hello Jon,
The config is the next:
nat (inside) 0 192.168.0.0 255.255.0.0 0 0
nat (dmz1) 0 192.168.1.0 255.255.255.0 0 0
nat (dmz2) 0 192.168.2.0 255.255.255.0 0 0
static (inside,dmz2) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0
static (dmz1,dmz2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
access-list dmz1 permit tcp any any
access-list dmz1 permit udp any any
access-list dmz2 permit icmp any any
access-list dmz2 permit tcp any any
access-list dmz2 permit udp any any
I don't know what's happening but I can't run icmp echo request from 192.168.2.0 to 192.168.1.0. Do I have to configure something else?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2014 11:38 AM
What security levels are dmz1 and dmz2 ?
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2014 12:01 PM
Hi Jon,
The security level are:
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security80
nameif ethernet3 dmz2 security70
It's weird because if I run icmp echo from 192.168.1.0 to 192.168.2.0, later I can run icmp echo request from 192.168.2.0 to 192.168.1.0. It seems something of ARP.
What about this? Should do I remove this lines?
sysopt noproxyarp inside
sysopt noproxyarp dmz1
sysopt noproxyarp dmz2
Thanks a lot, best regards.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2014 12:09 PM
Can you try enabling proxyarp on the dmz2 interface and retest.
Before you do the above can you clear the arp table and the xlate table (assuming this is not an active production firewall with active connections).
If this doesn't work then please post the full configuration.
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2014 03:58 AM
Hello Jon,
Thank you very much, it was a static NAT issue.
Thanks, best regards.
