Perhaps this is because you are using a /16 mask in the ACLs, but in your global you are using a /24 mask....

Hello walker,

Actually, the mask in the access-list is not a real subnet mask but it's a wild card mask to identify between hosts and subnets and that's it. In global commands, the mask is the real subnet mask.

My PIX is running OS 7.0(1) and i am really wondering why it's not working since my config is okay. And yes, i can RDP and ping the servers from a host in the DMZ too.

Any other suggestions?!!

are there other ACL entries in your access-list thats applied to the inside interface?? assuming a security level of 100, all traffic to other interfaces should be allowed...w/o an ACL.

you probably dont need to nat when going from the inside to the dmz interface...as one other person suggested, just static nat the 10.2.0.0 subnet to itself, or do it with a nat 0 command (which is what i use to get to my dmz). i assume your pix knows how to get back to the 10.2.0.0 subnet? (a ping from the pix to a 10.2.x.x host can confirm this).

Hi,

You need to open the echo reply path from the dmz to the inside network,

access-list incoming extended permit icmp 10.11.0.0 255.255.0.0 10.11.0.0 255.255.0.0 echo-reply

access-group incoming in interface dmz

check if the routing ok or not, (route inside)...

For the remote desktop, you can also check whether the service is running on the server or not.

I hope this helps, please rate if it does.

Best regards,

Hello oabduo,

Yes,i already opened the icmp echo reply path from dmz to inside and nothing new.

access-list DMZ_access_in permit icmp 10.11.0.0 255.255.0.0 10.2.0.0 255.255.0.0

access-group DMZ_access_in in interface dmz

But thanks for your suggestion anyways :)

Hope more suggestions are on my way soon.

Turbo

Hello Turbo,

Notice the destination which I have included in my extended access-list,

access-list DMZ_access_in permit icmp 10.11.0.0 255.255.0.0 10.11.0.0 255.255.0.0 echo-reply

This is because when you access from a low security zone to a high security zone you need to access the translated IP not the actual IP.

Please include that access-list... if confused include the following instead, just for testing:

access-list DMZ_access_in permit icmp any any echo-reply

Don't forget the access-group command...

Best regards,

Hi .. you cold try this assuming security for the inside interface is higher that the security for the DMZ.

Make sure you enable the default policy map for providing application inspection. Make sure inspect icmp is present

class-map global-class

match default-inspection-traffic

!

!

policy-map global-policy

class global-class

inspect sqlnet

inspect h323 ras

inspect xdmcp

inspect tftp

inspect icmp error

inspect rtsp

inspect sunrpc

inspect mgcp

inspect esmtp

inspect netbios

inspect sip

inspect pptp

inspect ctiqbe

inspect snmp

inspect http

inspect icmp

inspect rsh

inspect ftp

inspect ils

inspect h323 h225

inspect dns

inspect skinny

!

service-policy global-policy global

access-list outgoing extended permit icmp 10.2.0.0 255.255.0.0 10.11.0.0 255.255.255.0

access-list outgoing extended permit tcp 10.2.0.0 255.255.0.0 10.11.0.0 255.255.255.0 eq 3389

access-group outgoing in interface inside

access-list Inside_Out_nonat extended permit ip 10.2.0.0 255.255.0.0 10.11.0.0 255.255.255.0

nat (inside) 0 access-list Inside_Out_nonat

clear xlate

I hope it helps .. please rate it if it does !!!

Hello Guys,

Please allow me to explain once again. I want to RDP and ping the DMZ servers by their same ip addresses. i.e RDP/Ping to 10.11.0.12 (mail srv) and RDP/Ping to 10.11.0.13 (web srv). I used all the kind of NATs in the world but it still not working for sorry.

I think the best way to RDP/Ping with the same servers addresses is the NAT exemption..

Please check this out!!

access-list Exempt extended permit ip 10.11.0.0 255.255.0.0 10.2.0.0 255.255.0.0

nat (dmz) 0 access-list Exempt

But,the problem still exist.

Any ideas?!!

Turbo