Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX dropping traffic

Reply
Thread Tools

PIX dropping traffic

 
 
snizfast@gmail.com
Guest
Posts: n/a
 
      07-15-2005
I am setting up a pair of PIX 506e with a DMZ between them. I am
having a problem getting traffic from my DMZ into the LAN. For testing
I have put an test ACL to permit anything but its still giving me
issues. The outside PIX is doing the NAT/PAT and this one is doing the
SNAT. When I do show access-list I can see the hits incrementing on
the test ACL but I still can not get a response from my pings. Does
this ring a bell with anyone? Here are the configs from the inside
PIX.

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname inside
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list test permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside DMZ.110 255.255.255.240
ip address inside LAN.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (inside,outside) LAN_IP.2 DMZ_IP.100 netmask 255.255.255.255 0 0
static (inside,outside) LAN_IP.4 DMZ_IP.101 netmask 255.255.255.255 0 0
static (inside,outside) LAN_IP.209 DMZ_IP.102 netmask 255.255.255.255 0
0
static (inside,outside) LAN_IP.247 DMZ_IP.103 netmask 255.255.255.255 0
0
static (inside,outside) LAN_IP.248 DMZ_IP.104 netmask 255.255.255.255 0
0
static (inside,outside) LAN_IP.10 DMZ_IP.106 netmask 255.255.255.255 0
0
access-group test in interface outside
route outside 0.0.0.0 0.0.0.0 DMZ_IP.97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
ntp server 209.198.87.41 source outside
floodguard enable
console timeout 10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
banner motd This is a private system...begone!

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      07-15-2005
In article <(E-Mail Removed) .com>,
<(E-Mail Removed)> wrote:
:I am setting up a pair of PIX 506e with a DMZ between them.

That isn't a standard phrasing; when I first read your posting I
thought you meant VPN between them. DMZ would normally refer to
additional (3rd and onward) interfaces.


: I am
:having a problem getting traffic from my DMZ into the LAN. For testing
:I have put an test ACL to permit anything but its still giving me
:issues. The outside PIX is doing the NAT/PAT and this one is doing the
:SNAT. When I do show access-list I can see the hits incrementing on
:the test ACL but I still can not get a response from my pings.

:access-list test permit ip any any

:ip address outside DMZ.110 255.255.255.240
:ip address inside LAN.5 255.255.255.0

:static (inside,outside) LAN_IP.2 DMZ_IP.100 netmask 255.255.255.255 0 0

static (inside,outside) DMZ_IP.100 LAN_IP.2 netmask 255.255.255.255 0 0


When you construct a 'static' statement, you have two interfaces
listed, and then two IPs. The IP that you list first is for the
*second* interface, and the IP that you list second is for the *first*
interface. [No, I don't know why they choose that order...]
--
"Who Leads?" / "The men who must... driven men, compelled men."
"Freak men."
"You're all freaks, sir. But you always have been freaks.
Life is a freak. That's its hope and glory." -- Alfred Bester, TSMD
 
Reply With Quote
 
 
 
 
snizfast@gmail.com
Guest
Posts: n/a
 
      07-15-2005
Thanks for your reply and that was it. I was also unable to ping
anything on my LAN but I added a static map for all of those addresses
which took care of that.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco Remote Access VPN dropping certain traffic srini74_ks Cisco 0 08-16-2007 06:29 PM
Cisco Remote Access VPN dropping certain traffic sri.sangameswaran@gmail.com Cisco 1 08-06-2007 09:03 PM
Routing Question - How to send default internet traffic to PIX and VPN traffic from router out internet Evolution Cisco 1 02-27-2007 10:00 PM
FTP outward traffic causing "Unidentified IP traffic" error on ISA 2004 server connected to a PIX quentinhudson@hotmail.com Cisco 0 05-31-2006 11:43 AM
ADSL Dropping But not Dropping!! Chris Bales Computer Support 9 08-29-2004 06:25 PM



Advertisments