05-27-2002 03:39 AM - edited 03-08-2019 10:46 PM
I got one interface with lower security and I have permited it to access and interface with highersecurity
When I from the lower interface tries to access the higher one it works to somehosts all the time but some not. To make it work you can send an ping to one host wich are connected to the interface with lower security from the one with higher security and it works for an while!
Anyone have an idea what the problem is?
05-27-2002 06:14 AM
Do you have a static going from the higher to the lower. Do you have a conduit or access-list so the lwr interface can access the higher interface?
05-27-2002 06:40 AM
No static.
I use an access-list wich allow the network to access the higher interface
05-27-2002 12:28 PM
Have you tried:
PIX# debug icmp trace
PIX# debug packet "interface" src "ip" dst "ip"
..and see what you get there. Mke sure the packets are even getting to the right interface. They should always get there, not just sometimes.. With these debug cmds. you will be able to see that.
05-27-2002 11:05 PM
Yep it reaches the interface with highersecurity. But it does not go through. Except if you "open" the connection from the higher interface.
Btw version is 6.2(1)
05-28-2002 12:28 AM
hi jhon,
i ever encountered this problem....because i am using the public the public ip address for the inside network....and then i didn't use the static translation. so what happened then...sometimes the outside network can not ping the inside servers..so i have to generate a traffic from inside to outside on the servers....then it's reachable from outside...why was it reachable from outside ? it think because there is an active connection for sometime then after the connection was timeout...so to solve this problem it did a static translation using the same ip address say static (inside, outside) 1.1.1.1 1.1.1.1
if i am mistaken...then the problem is solved...perhaps you can try the same way...
hope it helps
regards
05-28-2002 02:52 AM
Sadly it did not work :(
05-28-2002 08:11 AM
I have written an example below which may be of help to you .............
If you use private addressing on your LAN, and you want to permit access from a lower security interface to a higher security interface, for example the DMZ, you need to have a static entry like this one:
static (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
In addition, you will need to add a rule on the DMZ access list permitting icmp echo through to the internal LAN, for example:
access-list DMZ permit icmp host X.X.X.X host X.X.X.X echo
Also, I think you need to add a rule on the internal LAN access list to permit echo-reply, for example:
access-list inside permit icmp host X.X.X.X host X.X.X.X echo-reply
I hope this helps.
Regards,
Charles
05-28-2002 08:43 AM
It works thanks! I had added an static on the external hosts because someone suggested that.
It is strange though that it works if you "open" the connection from the higher sercurity interface! Maybe this is an bug?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide