Going from higher security level interface to lower security interface- HELP!!! -

Discussion in 'Cisco' started by AM, Dec 22, 2004.

  1. AM

    AM Guest

    What Have I to do for doing this?

    I have 5 interface
    inside 100
    DMZ_I 20
    DMZ_E 10
    Tunn_ 5
    outside 0

    Host A behind DMZ_I must establish a connection to host B behind the DMZ_E
    A must present itself with its own IP adderess.
    Which command does this?

    I know it is quite stupid but I'm trying to do this via PIX Web interface and I cannot accomplish this result.

    Thank you for your support,


    Alex.
    AM, Dec 22, 2004
    #1
    1. Advertising

  2. AM

    AM Guest

    Re: Going from higher security level interface to lower securityinterface - HELP!!! -

    AM wrote:

    > What Have I to do for doing this?
    >
    > I have 5 interface
    > inside 100
    > DMZ_I 20
    > DMZ_E 10
    > Tunn_ 5
    > outside 0
    >
    > Host A behind DMZ_I must establish a connection to host B behind the DMZ_E
    > A must present itself with its own IP adderess.
    > Which command does this?
    >
    > I know it is quite stupid but I'm trying to do this via PIX Web
    > interface and I cannot accomplish this result.
    >
    > Thank you for your support,
    >
    >
    > Alex.


    Another thing that can help me in troubleshoot tha problem above could be this.
    I saw syslog messages of the PIX.
    It tells me which access list drop the packets. Is there a way to know which rule acts the dropping action?

    For example, has the following message

    Dec 22 09:22:13 --firewall--.--mycompany--.com %PIX-4-106023: Deny icmp src DMZ_I:192.168.28.1 dst DMZ_E:10.132.0.16
    (type 8, code 0) by access-group "DMZ_I_access_in"

    a particular meaning? Or it simply tells me the packet was dropped by that access list?

    Thank you
    Alex.
    AM, Dec 22, 2004
    #2
    1. Advertising

  3. In article <KSayd.37753$>, AM <> wrote:
    :What Have I to do for doing this?

    :I have 5 interface
    :inside 100
    :DMZ_I 20
    :DMZ_E 10
    :Tunn_ 5
    :eek:utside 0

    :Host A behind DMZ_I must establish a connection to host B behind the DMZ_E
    :A must present itself with its own IP adderess.
    :Which command does this?

    Forgive me, but I'm tired of answering pretty much the same question
    every few days, so I'll just point you to an extensive answer I
    wrote up a few days ago:

    http://groups.google.ca/groups?selm=cpt9d2$5bm$
    --
    Are we *there* yet??
    Walter Roberson, Dec 22, 2004
    #3
  4. Re: Going from higher security level interface to lower securityinterface - HELP!!! -

    In article <XYayd.34177$>, AM <> wrote:

    :Another thing that can help me in troubleshoot tha problem above could be this.
    :I saw syslog messages of the PIX.
    :It tells me which access list drop the packets. Is there a way to know which rule acts the dropping action?

    Not directly. If, though, you show access-list DMZ_I_access_in
    then you will see 'hit' counts at the end of each line. Those counts
    are incremented each time there is a match.


    :For example, has the following message

    :Dec 22 09:22:13 --firewall--.--mycompany--.com %PIX-4-106023: Deny icmp src DMZ_I:192.168.28.1 dst DMZ_E:10.132.0.16 (type 8, code 0) by access-group "DMZ_I_access_in"

    :a particular meaning? Or it simply tells me the packet was dropped by that access list?

    It tells you that an ICMP Echo (aka ping) packet was not
    permitted to go from interface DMZ_I, IP address 192.168.28.1,
    to interface DMZ_E, IP address 10.132.0.16, and that the denial
    was due to some rule in DMZ_I_access_in .

    It also implicitly tells you that 192.168.28.1 *would* be able to go to
    10.132.0.16 if it were allowed to by the ACL. You know that because
    if the PIX did not know how to get packets from 192.168.28.1
    to 10.132.0.16 then the PIX would have instead generated a message
    about "No translation group". Translations are checked before ACLs.

    It does not, though, tell you what IP address that 192.168.28.1
    would be presented as to 10.132.0.16. For that, you need
    to turn your logging level up to at least 6, and see the
    PIX-6-305011 message. I do not recall at the moment, though,
    whether 305011 is generated before ACLs are checked.
    --
    Come to think of it, there are already a million monkeys on a million
    typewriters, and Usenet is NOTHING like Shakespeare. -- Blair Houghton.
    Walter Roberson, Dec 22, 2004
    #4
  5. AM

    AM Guest

    Re: Going from higher security level interface to lower securityinterface - HELP!!! -

    Walter Roberson wrote:

    > In article <KSayd.37753$>, AM <> wrote:
    > :What Have I to do for doing this?


    [CUT]

    >
    > Forgive me, but I'm tired of answering pretty much the same question
    > every few days, so I'll just point you to an extensive answer I
    > wrote up a few days ago:
    >
    > http://groups.google.ca/groups?selm=cpt9d2$5bm$

    I thank you publicly for your patience and support

    Alex.
    AM, Dec 28, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    618
  2. Clemens Schwaighofer

    No PAT from Higher Sec to Lower Sec interface

    Clemens Schwaighofer, Oct 20, 2005, in forum: Cisco
    Replies:
    0
    Views:
    451
    Clemens Schwaighofer
    Oct 20, 2005
  3. Stefan Patric

    Re: better to lower resolution or higher compression?

    Stefan Patric, Sep 5, 2003, in forum: Digital Photography
    Replies:
    2
    Views:
    314
    Morgan Ohlson
    Nov 18, 2003
  4. Eigenvector

    Re: better to lower resolution or higher compression?

    Eigenvector, Sep 6, 2003, in forum: Digital Photography
    Replies:
    6
    Views:
    396
    Morgan Ohlson
    Nov 18, 2003
  5. dmurray14

    Help! ASA5510 Lower to Higher

    dmurray14, Mar 14, 2008, in forum: Cisco
    Replies:
    7
    Views:
    2,026
    Markus Marquardt
    Mar 16, 2008
Loading...

Share This Page