Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
336
Views
0
Helpful
2
Replies

PIX515e DMZ & IP Addressing / Security Levels

craig-allen
Level 1
Level 1

‎08-30-2005 06:18 AM - edited ‎03-09-2019 12:17 PM

I have the following on PIX 5.15e 6.34

Eth0: Outside Public IP

Eth1: Inside 10.0.0.0/16

Eth2: DMZ 10.7.0.0/16

The problem I have is that inside hosts cannot access the DMZ segment. It appears that the inside hosts are not sending the packets to the pix. If I do a traceroute packets are not reaching the PIX inside interface rather an arp broadcast appears to be done. However if I try traceroute to 10.8.0.1 this then gets sent to the pix. This is the same for subnets 10.1.0.0 - 10.7.0.0.

Surely the above are in different subnet to 10.0.0.0/16 due to using the Class B subnet mask.

Am I missing a simple thing here?

Lastly.

How does one chose a security level? I need traffic to transverse the inside & dmz segements but am unsure what security level to choose.

Is there a document somewhere on Cisco.com that outlines the differents levels and when to use them?

Thanks

Craig

Labels:
0 Helpful
2 Replies 2

jmia
Level 7
Level 7

‎08-30-2005 06:56 AM

Hi,

As an example, take a look at this document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008015efa9.shtml

The above document is for a mail server access in the DMZ, but I think this will help in your understanding.

Hope this helps a little, let me know how you get on.

-

Jay

0 Helpful

craig-allen
Level 1
Level 1
In response to jmia

‎08-30-2005 07:34 AM

Thanks for the link!

I'm not having a problem with the pix config but more with the inter IP subnet addressing.

e.g.

Subnet 1: 10.0.0.0/16 -> Inside

Subnet 2: 10.1.0.0/16 -> DMZ1

Subnet 3: 10.7.0.0/16 -> DMZ2

Subnet 4: 10.8.0.0/16 -> DMZ3

From an XP workstation if I do a traceroute from Subnet 1 to subnets 2 & 3 -> no traffic is sent to the default gateway (pix). Appears an arp request is being sent.

Whereas if I do a traceroute from Subnet 1 to subnet 4 traffic is sent to the pix.

It appears that the workstation thinks that subnets 10.1.0.0 -> 10.7.0.0 /16 are local therefore doesn't send the traffic to the default gateway. Wheras 10.8.0.0 /16 is sent to the gateway.

Windows host has the correct IP config ie.e 10.0.1.1 255.255.255.0 GW 10.0.0.254

I know that the problem is not the pix as I get no errors on the syslog i.e. the traffic deosn't even hit the pix.

0 Helpful
Customers Also Viewed These Support Documents