Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco PIX 501, Configuration problems in DMZ

Reply
Thread Tools

Cisco PIX 501, Configuration problems in DMZ

 
 
Heiko Mo?mann
Guest
Posts: n/a
 
      01-25-2005
Thx Daniel for reply.
We already fixed the subnetting mistake yesterday as we mentioned it.
Actually there is no router in our testenvironment, so its only the
firewall u see on the picture and the company connect router on the
right border. Additionally a testclient connected to the PIX, now with
the ip 10.2.0.8 is in the same subnet (255.255.255.240) as the inbound
interface (10.2.0.2) on that firewall. The Gateway of the client is
10.2.0.2

Sorry it was my mistake cause our picture was not up to date.

Here is a new one:

http://www.badbox.de/heiko.gif

thats our actual stup of the testenvironment. Nevertheless we fixed
the wrong client ip address, i can't ping the outbound interface of
the PIX starting at our testclient. It still works to ping the router
interace by the outbound interface of the PIX as well to ping the
inbound interace of the PIX starting at testclient.
Something still seems to do not work at the internal routing of the
PIX :/

Or is it possible that u cant directly connect a client to the PIX and
start a ping to the router ? Perhaps it is necessary to have that
static route on the router u talked about ? ... I can't check that at
the moment cause the router isn't configured yet. Another idea is that
i can't set the inbound interface of the PIX as standard gateway and i
need to set the router we will later add to the environment ( u see it
on the first picture i posted) as standard gateway.

Plz tell me ur Opinion

Regards
Heiko
 
Reply With Quote
 
 
 
 
Daniel Prinsloo - www.CherryFive.com
Guest
Posts: n/a
 
      01-25-2005
OK,
lets try the following. We are going to add the ICMP permit command to
the PIX to allow you to ping the outside interface as this is denied by
default. The command is - "icmp permit any any outside". icmp permit
any any outside is used during the testing/debugging phase of your
configuration process. Make sure that you change it to not responding
to ping request after you complete testing. It is a security risk to
leave it accepting and responding to ICMP packets.
Please let me know the response.
Regards,
Daniel
www.CherryFive.com

After the icmp permit command has been configured, you can ping the
outside interface on your Cisco PIX Firewall and ping from hosts on
each firewall interface.

Heiko Mo?mann wrote:
> Thx Daniel for reply.
> We already fixed the subnetting mistake yesterday as we mentioned it.
> Actually there is no router in our testenvironment, so its only the
> firewall u see on the picture and the company connect router on the
> right border. Additionally a testclient connected to the PIX, now

with
> the ip 10.2.0.8 is in the same subnet (255.255.255.240) as the

inbound
> interface (10.2.0.2) on that firewall. The Gateway of the client is
> 10.2.0.2
>
> Sorry it was my mistake cause our picture was not up to date.
>
> Here is a new one:
>
> http://www.badbox.de/heiko.gif
>
> thats our actual stup of the testenvironment. Nevertheless we fixed
> the wrong client ip address, i can't ping the outbound interface of
> the PIX starting at our testclient. It still works to ping the router
> interace by the outbound interface of the PIX as well to ping the
> inbound interace of the PIX starting at testclient.
> Something still seems to do not work at the internal routing of the
> PIX :/
>
> Or is it possible that u cant directly connect a client to the PIX

and
> start a ping to the router ? Perhaps it is necessary to have that
> static route on the router u talked about ? ... I can't check that at
> the moment cause the router isn't configured yet. Another idea is

that
> i can't set the inbound interface of the PIX as standard gateway and

i
> need to set the router we will later add to the environment ( u see

it
> on the first picture i posted) as standard gateway.
>
> Plz tell me ur Opinion
>
> Regards
> Heiko


 
Reply With Quote
 
 
 
 
Daniel Prinsloo - www.CherryFive.com
Guest
Posts: n/a
 
      01-25-2005
OK,
lets try the following. We are going to add the ICMP permit command to
the PIX to allow you to ping the outside interface as this is denied by
default. The command is - "icmp permit any any outside". icmp permit
any any outside is used during the testing/debugging phase of your
configuration process. Make sure that you change it to not responding
to ping request after you complete testing. It is a security risk to
leave it accepting and responding to ICMP packets.
Please let me know the response.
Regards,
Daniel
www.CherryFive.com

After the icmp permit command has been configured, you can ping the
outside interface on your Cisco PIX Firewall and ping from hosts on
each firewall interface.

Heiko Mo?mann wrote:
> Thx Daniel for reply.
> We already fixed the subnetting mistake yesterday as we mentioned it.
> Actually there is no router in our testenvironment, so its only the
> firewall u see on the picture and the company connect router on the
> right border. Additionally a testclient connected to the PIX, now

with
> the ip 10.2.0.8 is in the same subnet (255.255.255.240) as the

inbound
> interface (10.2.0.2) on that firewall. The Gateway of the client is
> 10.2.0.2
>
> Sorry it was my mistake cause our picture was not up to date.
>
> Here is a new one:
>
> http://www.badbox.de/heiko.gif
>
> thats our actual stup of the testenvironment. Nevertheless we fixed
> the wrong client ip address, i can't ping the outbound interface of
> the PIX starting at our testclient. It still works to ping the router
> interace by the outbound interface of the PIX as well to ping the
> inbound interace of the PIX starting at testclient.
> Something still seems to do not work at the internal routing of the
> PIX :/
>
> Or is it possible that u cant directly connect a client to the PIX

and
> start a ping to the router ? Perhaps it is necessary to have that
> static route on the router u talked about ? ... I can't check that at
> the moment cause the router isn't configured yet. Another idea is

that
> i can't set the inbound interface of the PIX as standard gateway and

i
> need to set the router we will later add to the environment ( u see

it
> on the first picture i posted) as standard gateway.
>
> Plz tell me ur Opinion
>
> Regards
> Heiko


 
Reply With Quote
 
Daniel Prinsloo - www.CherryFive.com
Guest
Posts: n/a
 
      01-26-2005
Heiko,
good morning. Sorry to use the Goolge interface, but I am at a customer
and are not able to send mail out.
It is good that the access-list solved your icmp problem. To now get
other protocols to work you need to add them to your access-list as an
access-list has a deny statement at the end which is not shown in the
config. So, if you want something to work with an access-list you must
specify it in your access-list, such as "access-list acl_out permit tcp
any any" or similar. This is not the best solution but will get you
going if you are stuck.
If you want, you can e-mail me directly a telephone number and I will
help you get it going.
Regards,
Daniel
www.CherryFive.com
Daniel Prinsloo - www.CherryFive.com wrote:
> OK,
> lets try the following. We are going to add the ICMP permit command

to
> the PIX to allow you to ping the outside interface as this is denied

by
> default. The command is - "icmp permit any any outside". icmp permit
> any any outside is used during the testing/debugging phase of your
> configuration process. Make sure that you change it to not responding
> to ping request after you complete testing. It is a security risk to
> leave it accepting and responding to ICMP packets.
> Please let me know the response.
> Regards,
> Daniel
> www.CherryFive.com
>
> After the icmp permit command has been configured, you can ping the
> outside interface on your Cisco PIX Firewall and ping from hosts on
> each firewall interface.
>
> Heiko Mo?mann wrote:
> > Thx Daniel for reply.
> > We already fixed the subnetting mistake yesterday as we mentioned

it.
> > Actually there is no router in our testenvironment, so its only the
> > firewall u see on the picture and the company connect router on the
> > right border. Additionally a testclient connected to the PIX, now

> with
> > the ip 10.2.0.8 is in the same subnet (255.255.255.240) as the

> inbound
> > interface (10.2.0.2) on that firewall. The Gateway of the client is
> > 10.2.0.2
> >
> > Sorry it was my mistake cause our picture was not up to date.
> >
> > Here is a new one:
> >
> > http://www.badbox.de/heiko.gif
> >
> > thats our actual stup of the testenvironment. Nevertheless we fixed
> > the wrong client ip address, i can't ping the outbound interface of
> > the PIX starting at our testclient. It still works to ping the

router
> > interace by the outbound interface of the PIX as well to ping the
> > inbound interace of the PIX starting at testclient.
> > Something still seems to do not work at the internal routing of the
> > PIX :/
> >
> > Or is it possible that u cant directly connect a client to the PIX

> and
> > start a ping to the router ? Perhaps it is necessary to have that
> > static route on the router u talked about ? ... I can't check that

at
> > the moment cause the router isn't configured yet. Another idea is

> that
> > i can't set the inbound interface of the PIX as standard gateway

and
> i
> > need to set the router we will later add to the environment ( u see

> it
> > on the first picture i posted) as standard gateway.
> >
> > Plz tell me ur Opinion
> >
> > Regards
> > Heiko


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
help with pix inside->outside + dmz->outside + inside->outside->dmz Jack Cisco 0 09-19-2007 01:57 AM
Cisco PIX DMZ to DMZ Access Network-Guy Cisco 7 09-25-2005 08:28 PM
Betrifft:Cisco PIX 501, Configuration problems in DMZ Heiko Mo?mann Cisco 0 01-31-2005 07:11 AM
Cisco PIX 501, Configuration problems in DMZ Heiko Mo?mann Cisco 1 01-24-2005 12:04 PM
how to config 515-e-dmz dmz routes & ACL? JohnC Cisco 9 12-07-2004 09:14 AM



Advertisments