Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
740
Views
0
Helpful
1
Replies

Static NAT Config Overlapping

terblac
Level 1
Level 1

‎12-29-2006 09:52 PM - edited ‎03-11-2019 02:14 AM

Hi!

Good day to all.

I'm having a hard time figuring out the descripancy on a PIX firewall config I have here.

My difficult is that I have two interfaces. One is a VLAN interface named as CORE with a SecLevel of 87 and a physical interface named DMZ4 with a SecLev of 50.

I have verified the routes and they were ok and also access lists. Actually, I have permitted the hosts on both sides to see each other. Meaning PING is allowed and so are the other services on IP. There are hitcounts actually. But the result on the CORE side is "Request timed out" however on the DMZ4 segment the result is "TTL expired in transit".

I had made a debug icmp trace and the result was :

89226: ICMP echo-request from core:172.22.38.104 to 172.22.148.47 ID=768 seq=30791 length=40

89227: ICMP echo-request: translating core:172.22.38.104 to dmz4:172.22.38.104

89228: ICMP echo-request: untranslating core:172.22.148.47 to dmz4:172.22.148.47

I could not see the next line which should have been a reply from 172.22.148.47 going to the requester 172.22.38.104.

One of the segments named MANAGEMENT with a SecLev of 57 can see the host on the DMZ4 and vice versa. They could ping each other.

Below are the static configurations:

static (dmz4,management) 172.22.148.0 172.22.148.0 netmask 255.255.255.0 0 0

static (newtandem,dmz4) 172.22.29.20 172.22.25.138 netmask 255.255.255.255 0 0

static (dmz4,management) 172.27.0.0 172.27.0.0 netmask 255.255.0.0 0 0

static (core,management) 172.22.38.0 172.22.38.0 netmask 255.255.255.0 0 0

static (dmz1,management) 192.168.11.70 192.168.11.70 netmask 255.255.255.255 0 0

static (core,development) 172.22.38.0 172.22.38.0 netmask 255.255.255.0 0 0

static (spare,management) 172.22.29.35 172.22.29.35 netmask 255.255.255.255 0 0

static (management,spare) 172.22.29.128 172.22.29.128 netmask 255.255.255.192 0 0

static (dmz4,core) 172.22.148.0 172.22.148.0 netmask 255.255.255.0 0 0

static (core,dmz4) 172.22.38.0 172.22.38.0 netmask 255.255.255.0 0 0

static (dmz4,management) 172.22.0.0 172.22.0.0 netmask 255.255.0.0 0 0

static (dmz4,spare) 172.22.0.0 172.22.0.0 netmask 255.255.0.0 0 0

Could somebody help me understand.

Happy New Year!

Thanks again.

Labels:
0 Helpful
1 Reply 1

terblac
Level 1
Level 1

‎12-30-2006 12:16 AM

Guys!

My problem has been resolved. There was no route on the router that is connected to the DMZ4 segment that we have here. We have just added a route on it pointing to the layer 3 switch on DMZ4 going to the CORE segment.

Thank you very much!!!

Happy New Year!!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card