10-19-2005 03:29 PM - edited 02-21-2020 12:28 AM
Hi,
When I try to ping a database server from a web server through an internal Pix 506e I get Deny icmp src outside:WebtoPixDMZ dest inside :Database by access group acl_sql
The web server is connected to the outside interface of the Pix while the Database server is connected to the inside interface of the Pix
I can ping from the database to the Web server.
Here is the Pix Config
hostname xxxx
names
name 192.168.7.1 WebtoPixDMZ
name 192.168.7.2 PixDMZtoWeb
name 192.168.8.1 PixDMZtoSrvrp
name 192.168.8.2 Database
access-list acl_sql permit icmp any any echo-reply
access-list acl_sql permit icmp any any time-exceeded
access-list acl_sql permit icmp any any unreachable
access-list acl_sql permit tcp any any eq 1433
icmp permit any outside
icmp permit any inside
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
access-group acl_sql in interface outside
route outside 0.0.0.0 0.0.0.0 PixDMZtoWeb
route outside 192.168.6.0 255.255.255.0 192.168.7.1 1
sh route
outside 0.0.0.0 0.0.0.0 PixDMZtoweb 1 OTHER static
outside 192.168.6.0 255.255.255.0 192.168.7.1 1 OTHER static
outside 192.168.7.0 255.255.255.0 PixDMZtoweb 1 CONNECT static
inside 192.168.8.0 255.255.255.0 PixDMZtoSrvrp 1 CONNECT static
Any ideas where I am going wrong?
thanks
10-19-2005 06:04 PM
static command is missing.
static (inside,outside)
clear xlate
then, for the webserver accessing/pinging the database server, you just need to point to the private ip.
nat 0 may not work with inbound traffic as the pix treats it more like a one way translation; whereas static is a two-way thing.
in case you don't want to nat at all, then instead of the static above, you can:
static (inside,outside)
10-20-2005 11:31 AM
Thanks Jacko, once again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide