Cisco PIX 501, Configuration problems in DMZ

Discussion in 'Cisco' started by Heiko Mo?mann, Jan 25, 2005.

  1. Thx Daniel for reply.
    We already fixed the subnetting mistake yesterday as we mentioned it.
    Actually there is no router in our testenvironment, so its only the
    firewall u see on the picture and the company connect router on the
    right border. Additionally a testclient connected to the PIX, now with
    the ip 10.2.0.8 is in the same subnet (255.255.255.240) as the inbound
    interface (10.2.0.2) on that firewall. The Gateway of the client is
    10.2.0.2

    Sorry it was my mistake cause our picture was not up to date.

    Here is a new one:

    http://www.badbox.de/heiko.gif

    thats our actual stup of the testenvironment. Nevertheless we fixed
    the wrong client ip address, i can't ping the outbound interface of
    the PIX starting at our testclient. It still works to ping the router
    interace by the outbound interface of the PIX as well to ping the
    inbound interace of the PIX starting at testclient.
    Something still seems to do not work at the internal routing of the
    PIX :/

    Or is it possible that u cant directly connect a client to the PIX and
    start a ping to the router ? Perhaps it is necessary to have that
    static route on the router u talked about ? ... I can't check that at
    the moment cause the router isn't configured yet. Another idea is that
    i can't set the inbound interface of the PIX as standard gateway and i
    need to set the router we will later add to the environment ( u see it
    on the first picture i posted) as standard gateway.

    Plz tell me ur Opinion

    Regards
    Heiko
    Heiko Mo?mann, Jan 25, 2005
    #1
    1. Advertising

  2. OK,
    lets try the following. We are going to add the ICMP permit command to
    the PIX to allow you to ping the outside interface as this is denied by
    default. The command is - "icmp permit any any outside". icmp permit
    any any outside is used during the testing/debugging phase of your
    configuration process. Make sure that you change it to not responding
    to ping request after you complete testing. It is a security risk to
    leave it accepting and responding to ICMP packets.
    Please let me know the response.
    Regards,
    Daniel
    www.CherryFive.com

    After the icmp permit command has been configured, you can ping the
    outside interface on your Cisco PIX Firewall and ping from hosts on
    each firewall interface.

    Heiko Mo?mann wrote:
    > Thx Daniel for reply.
    > We already fixed the subnetting mistake yesterday as we mentioned it.
    > Actually there is no router in our testenvironment, so its only the
    > firewall u see on the picture and the company connect router on the
    > right border. Additionally a testclient connected to the PIX, now

    with
    > the ip 10.2.0.8 is in the same subnet (255.255.255.240) as the

    inbound
    > interface (10.2.0.2) on that firewall. The Gateway of the client is
    > 10.2.0.2
    >
    > Sorry it was my mistake cause our picture was not up to date.
    >
    > Here is a new one:
    >
    > http://www.badbox.de/heiko.gif
    >
    > thats our actual stup of the testenvironment. Nevertheless we fixed
    > the wrong client ip address, i can't ping the outbound interface of
    > the PIX starting at our testclient. It still works to ping the router
    > interace by the outbound interface of the PIX as well to ping the
    > inbound interace of the PIX starting at testclient.
    > Something still seems to do not work at the internal routing of the
    > PIX :/
    >
    > Or is it possible that u cant directly connect a client to the PIX

    and
    > start a ping to the router ? Perhaps it is necessary to have that
    > static route on the router u talked about ? ... I can't check that at
    > the moment cause the router isn't configured yet. Another idea is

    that
    > i can't set the inbound interface of the PIX as standard gateway and

    i
    > need to set the router we will later add to the environment ( u see

    it
    > on the first picture i posted) as standard gateway.
    >
    > Plz tell me ur Opinion
    >
    > Regards
    > Heiko
    Daniel Prinsloo - www.CherryFive.com, Jan 25, 2005
    #2
    1. Advertising

  3. OK,
    lets try the following. We are going to add the ICMP permit command to
    the PIX to allow you to ping the outside interface as this is denied by
    default. The command is - "icmp permit any any outside". icmp permit
    any any outside is used during the testing/debugging phase of your
    configuration process. Make sure that you change it to not responding
    to ping request after you complete testing. It is a security risk to
    leave it accepting and responding to ICMP packets.
    Please let me know the response.
    Regards,
    Daniel
    www.CherryFive.com

    After the icmp permit command has been configured, you can ping the
    outside interface on your Cisco PIX Firewall and ping from hosts on
    each firewall interface.

    Heiko Mo?mann wrote:
    > Thx Daniel for reply.
    > We already fixed the subnetting mistake yesterday as we mentioned it.
    > Actually there is no router in our testenvironment, so its only the
    > firewall u see on the picture and the company connect router on the
    > right border. Additionally a testclient connected to the PIX, now

    with
    > the ip 10.2.0.8 is in the same subnet (255.255.255.240) as the

    inbound
    > interface (10.2.0.2) on that firewall. The Gateway of the client is
    > 10.2.0.2
    >
    > Sorry it was my mistake cause our picture was not up to date.
    >
    > Here is a new one:
    >
    > http://www.badbox.de/heiko.gif
    >
    > thats our actual stup of the testenvironment. Nevertheless we fixed
    > the wrong client ip address, i can't ping the outbound interface of
    > the PIX starting at our testclient. It still works to ping the router
    > interace by the outbound interface of the PIX as well to ping the
    > inbound interace of the PIX starting at testclient.
    > Something still seems to do not work at the internal routing of the
    > PIX :/
    >
    > Or is it possible that u cant directly connect a client to the PIX

    and
    > start a ping to the router ? Perhaps it is necessary to have that
    > static route on the router u talked about ? ... I can't check that at
    > the moment cause the router isn't configured yet. Another idea is

    that
    > i can't set the inbound interface of the PIX as standard gateway and

    i
    > need to set the router we will later add to the environment ( u see

    it
    > on the first picture i posted) as standard gateway.
    >
    > Plz tell me ur Opinion
    >
    > Regards
    > Heiko
    Daniel Prinsloo - www.CherryFive.com, Jan 25, 2005
    #3
  4. Heiko,
    good morning. Sorry to use the Goolge interface, but I am at a customer
    and are not able to send mail out.
    It is good that the access-list solved your icmp problem. To now get
    other protocols to work you need to add them to your access-list as an
    access-list has a deny statement at the end which is not shown in the
    config. So, if you want something to work with an access-list you must
    specify it in your access-list, such as "access-list acl_out permit tcp
    any any" or similar. This is not the best solution but will get you
    going if you are stuck.
    If you want, you can e-mail me directly a telephone number and I will
    help you get it going.
    Regards,
    Daniel
    www.CherryFive.com
    Daniel Prinsloo - www.CherryFive.com wrote:
    > OK,
    > lets try the following. We are going to add the ICMP permit command

    to
    > the PIX to allow you to ping the outside interface as this is denied

    by
    > default. The command is - "icmp permit any any outside". icmp permit
    > any any outside is used during the testing/debugging phase of your
    > configuration process. Make sure that you change it to not responding
    > to ping request after you complete testing. It is a security risk to
    > leave it accepting and responding to ICMP packets.
    > Please let me know the response.
    > Regards,
    > Daniel
    > www.CherryFive.com
    >
    > After the icmp permit command has been configured, you can ping the
    > outside interface on your Cisco PIX Firewall and ping from hosts on
    > each firewall interface.
    >
    > Heiko Mo?mann wrote:
    > > Thx Daniel for reply.
    > > We already fixed the subnetting mistake yesterday as we mentioned

    it.
    > > Actually there is no router in our testenvironment, so its only the
    > > firewall u see on the picture and the company connect router on the
    > > right border. Additionally a testclient connected to the PIX, now

    > with
    > > the ip 10.2.0.8 is in the same subnet (255.255.255.240) as the

    > inbound
    > > interface (10.2.0.2) on that firewall. The Gateway of the client is
    > > 10.2.0.2
    > >
    > > Sorry it was my mistake cause our picture was not up to date.
    > >
    > > Here is a new one:
    > >
    > > http://www.badbox.de/heiko.gif
    > >
    > > thats our actual stup of the testenvironment. Nevertheless we fixed
    > > the wrong client ip address, i can't ping the outbound interface of
    > > the PIX starting at our testclient. It still works to ping the

    router
    > > interace by the outbound interface of the PIX as well to ping the
    > > inbound interace of the PIX starting at testclient.
    > > Something still seems to do not work at the internal routing of the
    > > PIX :/
    > >
    > > Or is it possible that u cant directly connect a client to the PIX

    > and
    > > start a ping to the router ? Perhaps it is necessary to have that
    > > static route on the router u talked about ? ... I can't check that

    at
    > > the moment cause the router isn't configured yet. Another idea is

    > that
    > > i can't set the inbound interface of the PIX as standard gateway

    and
    > i
    > > need to set the router we will later add to the environment ( u see

    > it
    > > on the first picture i posted) as standard gateway.
    > >
    > > Plz tell me ur Opinion
    > >
    > > Regards
    > > Heiko
    Daniel Prinsloo - www.CherryFive.com, Jan 26, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Heiko Mo?mann
    Replies:
    1
    Views:
    2,955
    Daniel Prinsloo - www.CherryFive.com
    Jan 24, 2005
  2. Heiko Mo?mann
    Replies:
    0
    Views:
    489
    Heiko Mo?mann
    Jan 31, 2005
  3. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,851
    Walter Roberson
    Sep 25, 2005
  4. Matt Scoff

    Cisco PIX 501 new install DMZ

    Matt Scoff, May 24, 2006, in forum: Cisco
    Replies:
    3
    Views:
    7,198
    Matt Scoff
    May 25, 2006
  5. Jack
    Replies:
    0
    Views:
    638
Loading...

Share This Page