Pix 515E blocking DMZ traffic

htmlgames · ‎06-08-2005

I'm using a PIX 515E firewall to protect two of my servers, with another server in the DMZ acting as a web server. However, I can't seem to communicate between the web server and anything else. I've permitted ICMP traffic for all interfaces, so pings should work. However, the only thing the web server can ping is the DMZ interface. Anything else gets me a "no route to host" error, even if I'm just pinging other interfaces on the firewall. If I ping the web server from either side of the firewall, I get silence. Any idea what the problem could be? I've attatched the configuration.

htmlgames · ‎06-08-2005

Here's the config file

dougz · ‎06-08-2005

I have looked at your config file and here are two things that I see:

1. You must allow ICMP replies in through the outside interface as follows:

access-list outside_access_in permit icmp any host hilbert echo-reply

access-list outside_access_in permit icmp any host hilbert unreachable

access-list outside_access_in permit icmp any host hilbert time-exceeded

access-list outside_access_in permit icmp any host hilbert source-quench

2. It looks like you are trying not to nat to host hilbert.

static (dmz,outside) hilbert hilbert netmask 255.255.255.255 0 0

static (outside,dmz) hilbert hilbert netmask 255.255.255.255 0 0

This effectively states no nat.

It also looks like you are trying not to nat any inside host with nat (inside) 0 0.0.0.0 0.0.0.0 0 0

You may want to take another look and see if this is really what you meant.

Everything else looks ok.

Doug.

htmlgames · ‎06-10-2005

Doug,

Thanks for the help. I'm new to this stuff. Shouldn't communications be working even with no NAT? I've enabled those ICMP functions, but still can't get anything. I've tried SSH in case it was just an ICMP issue, but nothing. Thanks in advance.

John

htmlgames · ‎06-10-2005

One other thing that may help: I've gotten "no route to host" errors while going from the DMZ outwards, and from the outside into the DMZ. Can you see any problems with the routing configuration? "ece-nsl-1" is the outside router.

dougz · ‎06-10-2005

Sorry about that. Your route statements may need a little work.

Default route:

route outside 0.0.0.0 0.0.0.0 1

Should be:

route outside 0.0.0.0 0.0.0.0

Blanket statement: You do not need to redeclare your interface subnets as routes

i.e.

Suppose I have the following:

ip address inside 10.0.0.1 255.0.0.0

ip address outside 1.1.1.1 255.255.255.0

ip address dmz 172.16.1.1 255.255.0.0

I do not need the following:

route inside 10.0.0.0 255.0.0.0 10.0.0.1

route outside 1.1.1.0 255.255.255.0

route dmz 172.16.0.0 255.255.0.0

The only two times you need a route statement are:

1. The default route.

2. For access to a subnet that is not directly connected to the firewall.

I suspect that is what happened on all of the following

Check this statement:

route dmz 160.0.0.0 255.0.0.0 1

If this host is on the same subnet as the PIX outside interface, then it is not needed.

route outside ece-nsl-1 255.255.255.255 1

Same goes for these:

route dmz hilbert 255.255.255.255 1

route inside dijkstra 255.255.255.255 1

route inside galois 255.255.255.255 1

Try that and let me know what happens.

Doug.

dougz · ‎06-10-2005

Sorry about that. Your route statements may need a little work.

Default route:

route outside 0.0.0.0 0.0.0.0 1

Should be:

route outside 0.0.0.0 0.0.0.0

Blanket statement: You do not need to redeclare your interface subnets as routes

i.e.

Suppose I have the following:

ip address inside 10.0.0.1 255.0.0.0

ip address outside 1.1.1.1 255.255.255.0

ip address dmz 172.16.1.1 255.255.0.0

I do not need the following:

route inside 10.0.0.0 255.0.0.0 10.0.0.1

route outside 1.1.1.0 255.255.255.0 1.1.1.1

route dmz 172.16.0.0 255.255.0.172.16.1.1

The only two times you need a route statement are:

1. The default route.

2. For access to a subnet that is not directly connected to the firewall.

I suspect that is what happened on all of the following

Check this statement:

route dmz 160.0.0.0 255.0.0.0 1

If this host is on the same subnet as the PIX outside interface, then it is not needed.

route outside ece-nsl-1 255.255.255.255 1

Same goes for these:

route dmz hilbert 255.255.255.255 1

route inside dijkstra 255.255.255.255 1

route inside galois 255.255.255.255 1

Try that and let me know what happens.

Doug.

dougz · ‎06-10-2005

I created a drawing to better illustrate my point here. I have attached it.

Hope this helps.

htmlgames · ‎06-12-2005

Doug,

Thanks for the help. I've removed all the routing lines except those from the outer subnets; I'll add those later. However, I still seem to have the same problem. Ping gives me the message "ping: sendto: no route to host" when I try to ping anything but the DMZ interface from the DMZ. I'm also unable to ping through the firewall, getting no error message.

I checked 2 other things; maybe they'll be helpful: with "debug icmp trace", I can see the pings when Hilbert pings the dmz interface, but no other signs when any other machine pings anything. ALso, the firewall itself can successfully ping any machine on the network, inside or outside.

Thanks a lot,

John

dougz · ‎06-08-2005

I have looked at your config file and here are two things that I see:

1. You must allow ICMP replies in through the outside interface as follows:

access-list outside_access_in permit icmp any host hilbert echo-reply

access-list outside_access_in permit icmp any host hilbert unreachable

access-list outside_access_in permit icmp any host hilbert time-exceeded

access-list outside_access_in permit icmp any host hilbert source-quench

2. It looks like you are trying not to nat to host hilbert.

static (dmz,outside) hilbert hilbert netmask 255.255.255.255 0 0

static (outside,dmz) hilbert hilbert netmask 255.255.255.255 0 0

This effectively states no nat.

It also looks like you are trying not to nat any inside host with nat (inside) 0 0.0.0.0 0.0.0.0 0 0

You may want to take another look and see if this is really what you meant.

Everything else looks ok.

Doug.