07-17-2001 12:56 AM - edited 02-20-2020 09:48 PM
with this config, I cann't ping 192.168.1.253,
the debug trace indicate:
192.168.10.101>212.99.175.60>192.168.1.253
how can I direct the traffic go to DMZ no go to outside.
following is my pix 520 6.0(1)'s config list
: Saved
:
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password --moderator edit-- encrypted
passwd --moderator edit-- encrypted
hostname Pix
domain-name Pix
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
no logging on
logging timestamp
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
logging history debugging
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 212.99.175.51 255.255.255.240
ip address inside 192.168.10.254 255.255.255.0
ip address dmz 192.168.1.227 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
pdm history enable
arp dmz 192.168.1.253 0004.c13a.5080 alias
arp timeout 90
global (outside) 1 212.99.175.60
global (dmz) 1 192.168.1.220 netmask 255.255.255.255
nat (inside) 1 192.168.10.0 255.255.255.0 0 0
nat (dmz) 1 192.168.1.0 255.255.255.0 0 0
alias (inside) 192.168.1.221 212.99.175.61 255.255.255.255
static (dmz,outside) 212.99.175.61 192.168.1.221 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 212.99.175.61 eq www any
conduit permit tcp host 212.99.175.61 eq pop3 any
conduit permit tcp host 212.99.175.61 eq smtp any
conduit permit tcp host 212.99.175.61 eq domain any
route outside 0.0.0.0 0.0.0.0 212.99.175.49 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt noproxyarp dmz
no sysopt route dnat
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
terminal width 80
Cryptochecksum:5952c4f82490d2741ffb7b2e44
07-23-2001 01:14 PM
Is there any reason your inside hosts cant appear on the DMZ with there own addresses instead of the PAT assigned global? Try this if you can:
no global (dmz) 1 192.168.1.220 netmask 255.255.255.255
static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
wr mem
reload
Remember, anytime you add, changer or delte a nat and/or global it is best to wr mem/reload on the PIX. Now, test your ping again with debug running. Let me know if that helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide