just wondering if you have applied ACL acl_dmz in DMZ interface like below or not.

access-group acl_dmz in interface dmz

if not, can you please apply and then check.

if still not working, can you run debug command "debug icmp trace" to show whether ICMP requests from the hosts reach the PIX.

Please suggest me is it must to give the "static" comand to direct the request?

like Static(internal,DMZ) x.x.x.x x.x.x.x 255.255.255.255

Thanks

Can some one please insight me on this...?

Server B is in internal Lan

Server A is in DMZ

access-list acl_dmz permit icmp any any echo-reply

access-list ins_in permit icmp any any

access-group dmz_in interface "dmz interface"

access-group ins_in in interface inside

Now it depends on how you want to do NAT. I don't know whether this is a production firewall or not so please don't just cut and paste without understanding.

For arguments sake lets say server B's ip address is 192.168.2.5

static (inside,DMZ) 192.168.2.5 192.168.2.5 netmask 255.255.255.255

You will also need to make sure the Pix knows how to reach Server B. If Server B is on the same subnet as the pix internal interface you will be fine.

Let me know how you get on and if it still doesn't work we can do some debugging.

HTH

Hi,

Its production box, so before doing any change I would like to make it clear my self. Am sorry to ask the same thing again and again...

Please let me know the use of static command as far as my understanding it will enable to travel the packet between the mentioned zones. But in last post it has been mentioned as NAT. Am bit confuesed on this. please enlighten me.

my observations on this issue.

Source and destinations can ping each other. (I belive) its happening because of the command ICMP enabled for any to any. But the issue is Source could not connect the destination through the port 51873.

As am newbie to N/w and PIX, I am not clear about this issue. what my hunch is need to update the following command on PIX..

"static (inside,DMZ) tcp 192.168.2.5 51873 10.16.10.210 51873 netmask 255.255.255.255 0 0"

so that it will enable to travell the packets between these zones.

Please correct / suggest me if its wrong or if any other solutions to fix this.

Thanks in adv

Any suggesstions pls..

Hi

There are different kinds of NAT on a pix firewall. Dynamic one to one, Dynamic many to one (PAT) and static translations which are not setup dynamically but are there permanently. So the static command is just another form of NAT.

When you need packets to travel from a lower security interface to a higher security interface you need a static and an access-list.

static (inside,DMZ) tcp 192.168.2.5 51873 10.16.10.219 51873 netmask 255.255.255.255 0 0"

says

present a server on the inside - 10.16.10.210 to the DMZ as 192.168.2.5 on port 51873.

Is this what you intended ?

if it is then as you just need an access-list on the DMZ allowing this port from the server on your DMZ to the inside.

(Be careful with a DMZ access-list). If you already have one you will be fine. But if you are applying it for the first time then you need to remember that there is an implicit deny at the end so you must take into account any other traffic you allow through from the DMZ to the outside for example.

HTH

Hi,

Thanks for your suggestion.

ACL is already placed on DMZ, but the static(inside,DMZ) was not there....

access-list acl_dmz permit tcp host 10.16.10.210 host 192.168.2.5 eq 51873

so as per your earlier post no need to place the static (inside,dmz) for this issue...am i correct?

Hi

Could you specify

1) the address of the server on your LAN

2) the address of the server on your DMZ

What access you require

Jon

IP of the server on DMZ: 193.168.2.5 (Fake)

IP of the server on LAN: 10.16.10.210 (Fake)

Need to enable the access between these servers on port 51873.

PIX having ACL "PERMIT ACL_DMZ PERMIT TCP HOST 193.168.2.5 HOST 10.16.10.210 EQ 51873"

When I tried to telnet the server 193.168.2.5 from 10.16.10.210 with port 51873 it was failed.

To telnet from inside to DMZ

============================

Do you have an access-list on the inside interface. If so you need to add the following line:-

access-list "inside_access" permit tcp host 10.16.10.210 host 193.168.2.5 eq 51873.

if you don't have an access-list then it will be allowed by default.

You then need a translation or tell the pix you don't want to do NAT. I don't know what exists on your firewall already so

static (inside,DMZ) 10.16.10.210 10.16.10.210 netmask 255.255.255.255

Telnet from DMZ

===============

You need to have an access-list on the DMZ interface allowing access.

access-list permit tcp host 193.168.2.5 host 10.16.10.210 eq 51873.

You don't need a static as you have already set this up (see above).

HTH