09-19-2003 12:38 AM - edited 03-09-2019 04:51 AM
I'm trying to set up my PIX so that the traffic from the inside goes to the outside interface(being Pnat'd in the process) then connects to a statically mapped outside IP to a DMZ internal IP.
Like,
192.168.1.0(Inside network) -> 10.0.0.250(outside pat address)
10.0.0.10(static outside) -> 192.168.0.10(dmz internal address)
I can't seem to access 10.0.0.10 from 10.0.0.250. If I put my laptop into 10.0.0.0 I can access 10.0.0.10 fine(all my access list rules in the outside interface seem to be working fine)
I know this seems weird since normally you would just let the ASA do it's thing and make global address's in the dmz, but for our networking needs we need setup the traffic like I purposed.
Any help would be grately appreciated.
09-19-2003 12:52 AM
Hi Chris -
Have got any syslog messages that you can provide when you try to build a connections from 10.0.0.250 to 10.0.0.10 please.
For logging do:
logging on
logging buffer debug
Try a connection, then do command 'sh logg' and post the results please.
Thanks - Jay.
09-19-2003 04:01 AM
I have same problem, logging to syslog logg trap debug shows NOTHING !!!!
pd
09-19-2003 04:41 AM
I don't think that will work - traffic won't go from the inside, to the outside, and then to the DMZ. Traffic cannot leave and reenter the pix outside interface.
You probably need to have the inside clients more directly access the DMZ
09-21-2003 08:29 AM
In my limited learning experience, you do seem to be able to bounce packets off the outside interface. The exception appears to be if you try to contact yourself, when you get a 'Land Attack' denial. It's not clear why even that should happen, as the docs say the source and dest addresses and ports should match for that, and that doesn't happen often!!
09-21-2003 11:32 AM
OK, I -really- do have limited experience!! There is a chance that a router outside of my PIX is bouncing my packets back to my PIX, but I haven't managed to trace the route yet.
My comment about 'Land Attack' stands, however.
William
09-21-2003 06:33 PM
This should work, there shouldn't be any reason why it doesn't outside of a config issue.
The inside goes to the outside being Pnatd in the process. Once in the outside network it should be able to access a static map that goes into the DMZ.
I'm accessing the DMZ via the servers Public outside address from an outside Pnat address.
So as I can see it, there should be no reason this doesn't work.
unless the PIX has an issue with the Pnat engine talking to the static one. the only other thing I can think of is a special access-list applied to the dmz or inside interface to allow the return traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide