01-28-2008 09:10 PM - edited 03-11-2019 04:54 AM
Hi,
Kindly find the attached file.In this unable ping router2 to router1 F0/0 interfaces and vise versa,eventhough it is directly connected to firewall dmz's.I have checked the router routes seems to be fine.Please provide me the solution as soon.Thanks in advance
01-28-2008 09:33 PM
You need to configure STATIC for traffic to flow from one DMZ to another. Please refer the below URL for details:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml
If you have already configured the statics and still its not working, can you post the STATIC configuration from the pix.
Regards,
Arul
** Please rate all helpful posts **
01-28-2008 10:07 PM
Hi Arul,
Thanks a lot for ur response.Already i have applied static also but still unable to.In my pix 535 with 6 interfaces.i wanted to extablish connectivity b/w two dmz's.have u seen the digram arul.firwall dmz'z are connectd to the routers f0.need to access one host from router2 to router 1
static (dmz11,dmz22) 172.16.0.0 172.16.0.0 netmask 255.240.0.0
01-28-2008 09:57 PM
What i understand .. We want to ping from 172.30.8.10 to 172.30.8.18 and vise versa..
Here are the steps you can try:-
* ping both routers first from the firewall itself .. if not then need to troubleshoot that first.
* defualt gateways of route should be dmz interfaces ip address
* Ping from R1 to R2
Since dmz11 security level 40 and dmz22 is at 30 .. you require nat and global static
nat (dmz11) 1 0 0
global (dmz22) 1 interface ..
allow icmp on interface and you will be able to ping ..
* Ping from R2 to R1
If you want to access or ping dmz22 to dmz11 need static statement .. traffic going for lower to higher security
static (dmmz11,dmz22) 172.30.8.10 172.30.8.10 netmask 255.255.255.255
allow icmp access-list .. you should be able to ping ..
See these step helps .. if it works for you pls rate the steps so that other can take benefit of thiss forum.
Thanks
01-28-2008 11:51 PM
hi manjesin,
Thanks for ur response too.I having some more doubts,kindly clarify..
* i can ping router f0 int from firewall int.
* Inorder to access from R2 to R1 the static nat like bellow i think so,
static (dmz11,dmz22) 172.30.8.18 172.30.8.18 netmask 255.255.255.255
static ip's should be higher interface....? Is it?
the problem is router2 is connected to one more router3.So my concern is i need to access from router3 to router1 in my above diagm.for that i have been trying to ping first both(r2, r1) the router interfaces atleast.
i will try for all ur valuable options and kindly find the attached network diagm file and provide me firewall config and router routes.....plz
01-29-2008 06:25 AM
Hi,
Kindly provide solution for the above
01-29-2008 11:50 PM
Hi,
Kindly provide solution for the above
01-30-2008 10:30 AM
Here is n/w topology
R1---------firewall------R2------R3
Yes, in static statement we will be providing the ip address of the higher network which we want to access..
example given before and need to open access-list
static (dmz11,dmz22) 172.30.8.18 172.30.8.18 netmask 255.255.255.255
access-list 101 permit ip any host 172.30.8.18
access-group 101 in interface dmz22
If your default gateway on router2 and router3 is not dmz22 interface ip address then we need to give routes on routers..
for example
ip route 172.30.8.0 255.255.255.248 172.30.8.17
We are indicating if somebody dehind router3 want to reach 172.30.8.18 then traffic should be sent to 172.30.8.17 which is firewall dmz22 ..once the traffic reaches firewall static will come into picture
Here is a link to configure routes on Router
Hope this helps
01-30-2008 10:33 AM
hi,
make sure you also open icmp any any on dmz22 and dmz11 interface
since icmp is not allowed on firewall by default
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide