Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
297
Views
0
Helpful
1
Replies

no communication between inside and dmz

stephtchoko
Level 3
Level 3

‎10-02-2005 12:59 PM - edited ‎03-09-2019 12:35 PM

Please,

i configure pix to locate the server on dmz interface and host on inside interface.

the problem is that the host on inside interface cannot reach the e-mail server (196.202.232.17).

This is show run output:

names

access-list accl_dmz permit icmp any any

access-list outside_int permit ip any host 196.202.232.17

pager lines 24

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside 196.202.232.3 255.255.255.128

ip address inside 172.16.1.1 255.255.255.0

ip address DMZ 172.16.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 172.16.1.0 255.255.255.0 0 0

static (DMZ,outside) 196.202.234.64 172.16.2.2 netmask 255.255.255.255 0 0

static (DMZ,outside) 196.202.232.17 172.16.2.3 netmask 255.255.255.255 0 0

static (DMZ,outside) 61.11.234.86 172.16.2.4 netmask 255.255.255.255 0 0

static (DMZ,outside) 196.202.232.9 172.16.2.5 netmask 255.255.255.255 0 0

static (DMZ,outside) 196.202.232.13 172.16.2.6 netmask 255.255.255.255 0 0

static (DMZ,outside) 196.202.232.15 172.16.2.7 netmask 255.255.255.255 0 0

static (DMZ,outside) 196.202.232.14 172.16.2.8 netmask 255.255.255.255 0 0

static (DMZ,outside) 66.178.60.9 172.16.2.9 netmask 255.255.255.255 0 0

static (DMZ,outside) 61.11.234.6 172.16.2.10 netmask 255.255.255.255 0 0

static (DMZ,outside) 196.202.232.6 172.16.2.11 netmask 255.255.255.255 0 0

static (inside,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0

access-group outside_int in interface outside

conduit permit ip 172.16.1.0 255.255.255.0 any

conduit permit ip any any

route outside 0.0.0.0 0.0.0.0 196.202.234.1 1

route outside 10.2.4.0 255.255.255.0 196.202.234.63 1

route outside 10.2.5.0 255.255.255.0 196.202.234.63 1

route outside 10.2.7.0 255.255.255.0 196.202.234.63 1

route outside 10.2.8.0 255.255.255.0 196.202.234.63 1

route outside 10.2.9.0 255.255.255.0 196.202.234.61 1

route outside 10.2.10.0 255.255.255.0 196.202.234.63 1

route outside 10.2.11.0 255.255.255.0 196.202.234.63 1

route outside 203.192.200.0 255.255.255.0 196.202.234.61 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

from host 172.16.1.24 i make ping to 196.202.232.17 (e-mail server); there are debug icmp trace message:

pixfirewall# debug icmp trace

ICMP trace on

Warning: this may cause problems on busy networks

pixfirewall# 45: ICMP echo-request from inside:172.16.1.24 to 196.202.232.17 ID=

512 seq=14126 length=40

46: ICMP echo-request: translating inside:172.16.1.24/512 to outside:196.202.232

.3/0

47: ICMP echo-request from outside:196.202.234.40 to 196.202.232.17 ID=1280 seq=

3113 length=40

48: ICMP echo-request: untranslating outside:196.202.232.17 to DMZ:172.16.2.3

49: ICMP echo-reply from DMZ:172.16.2.3 to 196.202.234.40 ID=1280 seq=3113 lengt

h=40

50: ICMP echo-reply: translating DMZ:172.16.2.3 to outside:196.202.232.17

undebug all51: ICMP echo-request from inside:172.16.1.24 to 196.202.232.17 ID=51

2 seq=14382 length=40

52: ICMP echo-request: translating inside:172.16.1.24/512 to outside:196.202.232

.3/0

53: ICMP echo-request from outside:196.202.234.40 to 196.202.232.17 ID=1280 seq=

3369 length=40

54: ICMP echo-request: untranslating outside:196.202.232.17 to DMZ:172.16.2.3

55: ICMP echo-reply from DMZ:172.16.2.3 to 196.202.234.40 ID=1280 seq=3369 lengt

h=40

56: ICMP echo-reply: translating DMZ:172.16.2.3 to outside:196.202.232.17

Please, very emergency.

Any help will be appreciated.

Labels:
0 Helpful
1 Reply 1

Patrick Iseli
Level 7
Level 7

‎10-02-2005 03:14 PM

1.) This is normal you cannot connect the DMZ host with his public IP. The PIX Policy does not alow that.

2.) You have disabled NAT between the inside and the DMZ interface.

static (inside,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0

You should connect to your Email server with his private IP: 172.16.2.3

3.) You could tweak that limitation with the DNS Doktoring feature but it depends on where your DNS server is located, external or internal.

Take a look at this POST

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd65552/0#selected_message

sincerely

Patrick

0 Helpful
Customers Also Viewed These Support Documents