Cannot ping from inside IP to DMZ IP

chewshk · ‎12-29-2003

Hi,

I have a PIX525 installed with the inside IP for the LAN, the outside IP connecting the Internet Router and a 'new' DMZ IP for a connection to the private IP of a VPN3030.

I tried to ping (extended) from the inside IP of the PIX to the DMZ IP. It couldn't ping, even after I enabled the access-list to allow all IP between the DMZ and the inside interface.

The only thing that I did was putting the NAT to 'use same address' rather than creating a new NAT. Thus, it created the 'Null Rule' to the ACL which I just inserted.

So, what exactly can I do to be able to ping between these 2 interface?

Thanks

a.lysyuk · ‎12-29-2003

Access list only applies to packets which traverse PIX and not terminate on it interfaces.

If you want PIX interface to reply to ICMP echo packets you should use the configuration command:

icmp permit IP_address netmask Interface_name

cgregg · ‎12-29-2003

To ping a device in the DMZ, first you need to allow ICMP.

Next you need to create a static mapping as follows; Static (inside,dmz) inside ip inside ip

This should allow you to ping devices in the DMZ

-CHEERS

chewshk · ‎12-29-2003

Hi,

Thanks. I actually allowed all IP to pass through for now. Still, I was not able to ping the next-hop IP.

Today, I activated the NAT at the PIX and I was able to ping that next-hop IP. However, as I have the outside IP doing the same NAT, I can't activate this NAT (at the DMZ) and the NAT (at the outside) using the same range of IP addresses, eventhough I use different inside global IP address.

So, how can I activate the NAT for the same inside local for the DMZ and the Internet?

Thanks