09-20-2006 11:44 AM - edited 02-21-2020 01:11 AM
Hello All,
I have a PIX 525 configured with 3 interfaces (inside,outside,DMZ). This PIX is connected to a cisco core 4100R switch. I want to let a specific VLAN with a subnet (10.2.0.0) to remote desktop and ping the DMZ web and mail servers. However, after i created a dynamic NAT and access-list, users in this VLAN still not ping or RDP to the servers. Please check the following config:
global (outside) 1 192.168.1.11
global (dmz) 1 10.11.0.130-10.11.0.135 netmask 255.255.255.0
nat (inside) 1 10.2.0.0 255.255.0.0
access-list outgoing extended permit ip 10.2.0.0 255.255.0.0 10.11.0.0 255.255.0.0
access-list outgoing extended permit icmp 10.2.0.0 255.255.0.0 10.11.0.0 255.255.0.0 echo
access-list outgoing extended permit icmp 10.2.0.0 255.255.0.0 10.11.0.0 255.255.0.0 echo-reply
access-group outgoing in interface inside
Notice:
DMZ : 10.11.0.0/24
inside VLAN: 10.2.0.0/16
Web server: 10.11.0.13
Mail server: 10.11.0.12
Please correct me if i am wrong.
Thank You
09-20-2006 11:30 PM
Hi,
Your configuration seems ok to me...
Maybe, you can:
- try the command "clear xlate" which clears the translation table on your PIX
- make sure that you can RDP and ping your servers, EVEN if you are in the DMZ (try with a host in the DMZ)
- Check PIX logs and verify that no packets are dropped
- No nat from the inside to the DMZ:
static (inside,dmz) 10.2.0.0 10.2.0.0 netmask 255.255.0.0 0 0 and check if it works
Maybe other people will have accurate suggestions...
Thanks to give us update about your case.
09-21-2006 09:49 AM
What version of code is this PIX running? Your config looks ok with regards to traffic going from the inside to DMZ. Depending on the version traffic may be treated differently.
09-21-2006 01:25 PM
Perhaps this is because you are using a /16 mask in the ACLs, but in your global you are using a /24 mask....
09-22-2006 10:16 AM
Hello walker,
Actually, the mask in the access-list is not a real subnet mask but it's a wild card mask to identify between hosts and subnets and that's it. In global commands, the mask is the real subnet mask.
My PIX is running OS 7.0(1) and i am really wondering why it's not working since my config is okay. And yes, i can RDP and ping the servers from a host in the DMZ too.
Any other suggestions?!!
09-23-2006 08:34 PM
are there other ACL entries in your access-list thats applied to the inside interface?? assuming a security level of 100, all traffic to other interfaces should be allowed...w/o an ACL.
you probably dont need to nat when going from the inside to the dmz interface...as one other person suggested, just static nat the 10.2.0.0 subnet to itself, or do it with a nat 0 command (which is what i use to get to my dmz). i assume your pix knows how to get back to the 10.2.0.0 subnet? (a ping from the pix to a 10.2.x.x host can confirm this).
09-24-2006 12:32 AM
Hi,
You need to open the echo reply path from the dmz to the inside network,
access-list incoming extended permit icmp 10.11.0.0 255.255.0.0 10.11.0.0 255.255.0.0 echo-reply
access-group incoming in interface dmz
check if the routing ok or not, (route inside)...
For the remote desktop, you can also check whether the service is running on the server or not.
I hope this helps, please rate if it does.
Best regards,
09-24-2006 01:08 PM
Hello oabduo,
Yes,i already opened the icmp echo reply path from dmz to inside and nothing new.
access-list DMZ_access_in permit icmp 10.11.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-group DMZ_access_in in interface dmz
But thanks for your suggestion anyways :)
Hope more suggestions are on my way soon.
Turbo
09-24-2006 11:55 PM
Hello Turbo,
Notice the destination which I have included in my extended access-list,
access-list DMZ_access_in permit icmp 10.11.0.0 255.255.0.0 10.11.0.0 255.255.0.0 echo-reply
This is because when you access from a low security zone to a high security zone you need to access the translated IP not the actual IP.
Please include that access-list... if confused include the following instead, just for testing:
access-list DMZ_access_in permit icmp any any echo-reply
Don't forget the access-group command...
Best regards,
09-24-2006 06:08 AM
hello can you do a show conn detail when you are attempting to access the Terminal Server ?
post the output plz ( hide real IP addresses if public )
Best Regards
09-25-2006 09:34 PM
Hi .. you cold try this assuming security for the inside interface is higher that the security for the DMZ.
Make sure you enable the default policy map for providing application inspection. Make sure inspect icmp is present
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect sqlnet
inspect h323 ras
inspect xdmcp
inspect tftp
inspect icmp error
inspect rtsp
inspect sunrpc
inspect mgcp
inspect esmtp
inspect netbios
inspect sip
inspect pptp
inspect ctiqbe
inspect snmp
inspect http
inspect icmp
inspect rsh
inspect ftp
inspect ils
inspect h323 h225
inspect dns
inspect skinny
!
service-policy global-policy global
access-list outgoing extended permit icmp 10.2.0.0 255.255.0.0 10.11.0.0 255.255.255.0
access-list outgoing extended permit tcp 10.2.0.0 255.255.0.0 10.11.0.0 255.255.255.0 eq 3389
access-group outgoing in interface inside
access-list Inside_Out_nonat extended permit ip 10.2.0.0 255.255.0.0 10.11.0.0 255.255.255.0
nat (inside) 0 access-list Inside_Out_nonat
clear xlate
I hope it helps .. please rate it if it does !!!
10-02-2006 06:19 AM
Hello Guys,
Please allow me to explain once again. I want to RDP and ping the DMZ servers by their same ip addresses. i.e RDP/Ping to 10.11.0.12 (mail srv) and RDP/Ping to 10.11.0.13 (web srv). I used all the kind of NATs in the world but it still not working for sorry.
I think the best way to RDP/Ping with the same servers addresses is the NAT exemption..
Please check this out!!
access-list Exempt extended permit ip 10.11.0.0 255.255.0.0 10.2.0.0 255.255.0.0
nat (dmz) 0 access-list Exempt
But,the problem still exist.
Any ideas?!!
Turbo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide