12-29-2006 09:52 PM - edited 03-11-2019 02:14 AM
Hi!
Good day to all.
I'm having a hard time figuring out the descripancy on a PIX firewall config I have here.
My difficult is that I have two interfaces. One is a VLAN interface named as CORE with a SecLevel of 87 and a physical interface named DMZ4 with a SecLev of 50.
I have verified the routes and they were ok and also access lists. Actually, I have permitted the hosts on both sides to see each other. Meaning PING is allowed and so are the other services on IP. There are hitcounts actually. But the result on the CORE side is "Request timed out" however on the DMZ4 segment the result is "TTL expired in transit".
I had made a debug icmp trace and the result was :
89226: ICMP echo-request from core:172.22.38.104 to 172.22.148.47 ID=768 seq=30791 length=40
89227: ICMP echo-request: translating core:172.22.38.104 to dmz4:172.22.38.104
89228: ICMP echo-request: untranslating core:172.22.148.47 to dmz4:172.22.148.47
I could not see the next line which should have been a reply from 172.22.148.47 going to the requester 172.22.38.104.
One of the segments named MANAGEMENT with a SecLev of 57 can see the host on the DMZ4 and vice versa. They could ping each other.
Below are the static configurations:
static (dmz4,management) 172.22.148.0 172.22.148.0 netmask 255.255.255.0 0 0
static (newtandem,dmz4) 172.22.29.20 172.22.25.138 netmask 255.255.255.255 0 0
static (dmz4,management) 172.27.0.0 172.27.0.0 netmask 255.255.0.0 0 0
static (core,management) 172.22.38.0 172.22.38.0 netmask 255.255.255.0 0 0
static (dmz1,management) 192.168.11.70 192.168.11.70 netmask 255.255.255.255 0 0
static (core,development) 172.22.38.0 172.22.38.0 netmask 255.255.255.0 0 0
static (spare,management) 172.22.29.35 172.22.29.35 netmask 255.255.255.255 0 0
static (management,spare) 172.22.29.128 172.22.29.128 netmask 255.255.255.192 0 0
static (dmz4,core) 172.22.148.0 172.22.148.0 netmask 255.255.255.0 0 0
static (core,dmz4) 172.22.38.0 172.22.38.0 netmask 255.255.255.0 0 0
static (dmz4,management) 172.22.0.0 172.22.0.0 netmask 255.255.0.0 0 0
static (dmz4,spare) 172.22.0.0 172.22.0.0 netmask 255.255.0.0 0 0
Could somebody help me understand.
Happy New Year!
Thanks again.
12-30-2006 12:16 AM
Guys!
My problem has been resolved. There was no route on the router that is connected to the DMZ4 segment that we have here. We have just added a route on it pointing to the layer 3 switch on DMZ4 going to the CORE segment.
Thank you very much!!!
Happy New Year!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide