05-03-2011 05:36 PM
PIX 525 6.3(4)120
Hello, I am trying to allow clients coming in from my "DMZ6" interface with source IPs from the subnet 192.168.2.0 /24 to ping and access hosts on my "DMZ1" interface with destination IPs in the subnet 10.5.11.0 /24. I think I have the associated static NATs and the ACLs set up to allow this to happen. What I have noticed from syslog messages is that the PIX is trying to build the TCP connection to the "Inside" interface, rather than to DMZ1. Even though the destination host (10.5.11.12) is directly connected on DMZ1, the PIX is still trying to send the traffic to the "Inside" instead. I tried adding a host route to force 10.5.11.12 /32 pointing to DMZ1 and the PIX still tries to send the packets Inside. This only seems to happen when I try to go from DMZ6 to DMZ1. If I try to access hosts located in DMZ3 for example, which is also a directly connected interface on the PIX, it appropriately builds the connection to DMZ3. Here are the pertinent rules. Am I missing something? Why would the PIX want to build the connection to the Inside, even though it knows that the destination host IP is directly connected to DMZ1?
ip address DMZ1 10.5.11.1 255.255.255.0
ip address DMZ6 10.5.16.1 255.255.255.0
ip address inside 10.5.18.17 255.255.255.240
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security90
nameif ethernet7 DMZ6 security40
access-list DMZ1_policy permit icmp any any
access-list DMZ6_policy permit icmp any any
access-list DMZ6_policy permit tcp any any eq 3389
access-group DMZ1_policy in interface DMZ1
access-group DMZ6_policy in interface DMZ6
static (DMZ1,DMZ6) 10.5.11.0 10.5.11.0 netmask 255.255.255.0
static (DMZ6,DMZ1) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
SYSLOG MESSAGE:
May 03 2011 04:42:56 ARA-01 : %PIX-6-302013:
Built inbound TCP connection -1212474367 for DMZ6: 192.168.2.30/1098 (192.168.2.30/1098) to inside:10.5.11.12/3389 (10.5.11.12/3389)
05/02/11 21:43:04 10.5.18.17_pix 10.5.18.17 21 6 May 03 2011 04:43:04 ARA-01 : %PIX-6-110001:
No route to 10.5.11.12 from 192.168.2.30
05/02/11 21:44:58 10.5.18.17_pix 10.5.18.17 21 6 May 03 2011 04:44:58 ARA-01 : %PIX-6-302014:
Teardown TCP connection -1212474367 for DMZ6:192. 168.2.30/1098 to inside:10.5.11.12/3389 duration 0 :02:02 bytes 0 SYN Timeout
05-03-2011 07:15 PM
The following is not needed in the configuration:
static (DMZ6,DMZ1) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
Please also "clear xlate" after you make any changes to NAT/Static NAT statement.
Can you also please advise that you have the following route in place:
route DMZ6 192.168.2.0 255.255.255.0 10.5.16.x
Are you able to ping to and from 192.168.2.30 and 10.5.11.12?
05-04-2011 10:39 AM
Yes, I have:
route DMZ6 192.168.2.0 255.255.255.0 10.5.16.4
And I am unable to ping to and from 192.168.2.30 and 10.5.11.12.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide