cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
567
Views
0
Helpful
6
Replies

Connectivity issue PIX

CSCO11983020
Level 1
Level 1

Hello,

I have a PIX firewall with inside, outside, dmz1 and dmz2 interface.

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz1 security80

nameif ethernet3 dmz2 security70

I can run icmp echo request from inside to dmz1 and dmz2 well. However, I can't run icmp echo request from dmz1 to dmz2, but if I run icmp echo request from dmz2 to dmz1, later I can run icmp echo request from dmz1 to dmz2.

It seems an issue with ARP but I don't know, what can be happening?

Thanks, best regards.

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

It's sounds like a static NAT issue. Can you post your config ?

Jon

Hello Jon,

The config is the next:

nat (inside) 0 192.168.0.0 255.255.0.0 0 0

nat (dmz1) 0 192.168.1.0 255.255.255.0 0 0

nat (dmz2) 0 192.168.2.0 255.255.255.0 0 0

static (inside,dmz2) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

static (dmz1,dmz2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

access-list dmz1 permit tcp any any

access-list dmz1 permit udp any any

access-list dmz2 permit icmp any any

access-list dmz2 permit tcp any any

access-list dmz2 permit udp any any

I don't know what's happening but I can't run icmp echo request from 192.168.2.0 to 192.168.1.0. Do I have to configure something else?

What security levels are dmz1 and dmz2 ?

Jon

Hi Jon,

The security level are:

nameif ethernet1 inside security100

nameif ethernet2 dmz1 security80

nameif ethernet3 dmz2 security70

It's weird because if I run icmp echo from 192.168.1.0 to 192.168.2.0, later I can run icmp echo request from 192.168.2.0 to 192.168.1.0. It seems something of ARP.

What about this? Should do I remove this lines?

sysopt noproxyarp inside

sysopt noproxyarp dmz1

sysopt noproxyarp dmz2

Thanks a lot, best regards.

Can you try enabling proxyarp on the dmz2 interface and retest.

Before you do the above can you clear the arp table and the xlate table (assuming this is not an active production firewall with active connections).

If this doesn't work then please post the full configuration.

Jon

Hello Jon,

 

Thank you very much, it was a static NAT issue.

 

Thanks, best regards.

Review Cisco Networking for a $25 gift card