PIX dropping traffic

Discussion in 'Cisco' started by snizfast@gmail.com, Jul 15, 2005.

  1. Guest

    I am setting up a pair of PIX 506e with a DMZ between them. I am
    having a problem getting traffic from my DMZ into the LAN. For testing
    I have put an test ACL to permit anything but its still giving me
    issues. The outside PIX is doing the NAT/PAT and this one is doing the
    SNAT. When I do show access-list I can see the hits incrementing on
    the test ACL but I still can not get a response from my pings. Does
    this ring a bell with anyone? Here are the configs from the inside
    PIX.

    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname inside
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list test permit ip any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside DMZ.110 255.255.255.240
    ip address inside LAN.5 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) LAN_IP.2 DMZ_IP.100 netmask 255.255.255.255 0 0
    static (inside,outside) LAN_IP.4 DMZ_IP.101 netmask 255.255.255.255 0 0
    static (inside,outside) LAN_IP.209 DMZ_IP.102 netmask 255.255.255.255 0
    0
    static (inside,outside) LAN_IP.247 DMZ_IP.103 netmask 255.255.255.255 0
    0
    static (inside,outside) LAN_IP.248 DMZ_IP.104 netmask 255.255.255.255 0
    0
    static (inside,outside) LAN_IP.10 DMZ_IP.106 netmask 255.255.255.255 0
    0
    access-group test in interface outside
    route outside 0.0.0.0 0.0.0.0 DMZ_IP.97 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa-server partnerauth protocol radius
    aaa-server partnerauth max-failed-attempts 3
    aaa-server partnerauth deadtime 10
    ntp server 209.198.87.41 source outside
    floodguard enable
    console timeout 10
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    banner motd This is a private system...begone!
     
    , Jul 15, 2005
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    :I am setting up a pair of PIX 506e with a DMZ between them.

    That isn't a standard phrasing; when I first read your posting I
    thought you meant VPN between them. DMZ would normally refer to
    additional (3rd and onward) interfaces.


    : I am
    :having a problem getting traffic from my DMZ into the LAN. For testing
    :I have put an test ACL to permit anything but its still giving me
    :issues. The outside PIX is doing the NAT/PAT and this one is doing the
    :SNAT. When I do show access-list I can see the hits incrementing on
    :the test ACL but I still can not get a response from my pings.

    :access-list test permit ip any any

    :ip address outside DMZ.110 255.255.255.240
    :ip address inside LAN.5 255.255.255.0

    :static (inside,outside) LAN_IP.2 DMZ_IP.100 netmask 255.255.255.255 0 0

    static (inside,outside) DMZ_IP.100 LAN_IP.2 netmask 255.255.255.255 0 0


    When you construct a 'static' statement, you have two interfaces
    listed, and then two IPs. The IP that you list first is for the
    *second* interface, and the IP that you list second is for the *first*
    interface. [No, I don't know why they choose that order...]
    --
    "Who Leads?" / "The men who must... driven men, compelled men."
    "Freak men."
    "You're all freaks, sir. But you always have been freaks.
    Life is a freak. That's its hope and glory." -- Alfred Bester, TSMD
     
    Walter Roberson, Jul 15, 2005
    #2
    1. Advertising

  3. Guest

    Thanks for your reply and that was it. I was also unable to ping
    anything on my LAN but I added a static map for all of those addresses
    which took care of that.
     
    , Jul 15, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Chris Bales

    ADSL Dropping But not Dropping!!

    Chris Bales, Aug 28, 2004, in forum: Computer Support
    Replies:
    9
    Views:
    710
    Lee Bales
    Aug 29, 2004
  2. Replies:
    0
    Views:
    3,255
  3. Evolution
    Replies:
    1
    Views:
    870
    Walter Roberson
    Feb 27, 2007
  4. Replies:
    1
    Views:
    355
    Scott Perry
    Aug 6, 2007
  5. srini74_ks
    Replies:
    0
    Views:
    1,453
    srini74_ks
    Aug 16, 2007
Loading...

Share This Page