Cannot ping server in DMZ from inside

Discussion in 'Cisco' started by Ivana, Apr 12, 2005.

  1. Ivana

    Ivana Guest

    I have PIX 515E, 6.3(4) with three interfaces dmz, inside and outside.

    I cannot ping server in dmz from inside, but I can do www, for example. I
    cannot find the cause for this problem, I would appreciate if anyone can
    help me.

    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security4
    ---
    access-list inside_access_in permit tcp any host 173.17.2.2 eq www
    access-list inside_access_in permit icmp host 10.10.10.10 host 173.17.2.2
    access-list dmz_access_in permit icmp host 173.17.2.2 host 10.10.10.10
    access-list nonatdmz permit ip any 173.17.2.0 255.255.255.0
    access-list nonatoutside permit ip 173.17.2.0 255.255.255.0 any
    ---
    ip address outside 192.168.0.1 255.255.255.0
    ip address inside 10.10.10.4 255.255.0.0
    ip address dmz 173.17.2.1 255.255.255.0
    ---
    global (outside) 1 192.168.0.100
    global (outside) 2 192.168.1.100
    nat (inside) 0 access-list nonatdmz
    nat (dmz) 0 access-list nonatoutside
    nat (inside) 2 10.10.10.10 255.255.255.255 0 0
    ---
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    access-group dmz_access_in in interface dmz

    What am I missing?

    Thanks in advance,
    Ivana
     
    Ivana, Apr 12, 2005
    #1
    1. Advertisements

  2. Ivana

    Brian Guest

    Try adding the following lines:
    static (inside,dmz) 10.10.10.10 10.10.10.10 netmask 255.255.255.255 0 0
    static (dmz,inside) 173.17.2.2 173.17.2.2 netmask 255.255.255.255 0 0

    Obviously, if you want other devices to be able to communicate accross
    these security contexts, you will need to make these lines a bit less
    restrictive.
     
    Brian, Apr 12, 2005
    #2
    1. Advertisements

  3. Ivana

    Ivana Guest

    Not helping. I try to add line for ping from outside interface to dmz and
    it's working. Only from inside to dmz cannot ping, but logic for
    configuration is the same. I don't understand, could it be a bug in
    asoftware?
     
    Ivana, Apr 13, 2005
    #3
  4. Ivana

    Ivana Guest

    Not helping. I try to add line for ping from outside interface to dmz and
    it's working. Only from inside to dmz cannot ping, but logic for
    configuration is the same. I don't understand, could it be a bug in
    a software?
     
    Ivana, Apr 13, 2005
    #4
  5. Ivana

    AM Guest

    Hi Ivana,

    avoid top quoting if possible,
    Anyway, can you access to syslog messages? What do they tell you trying to ping the server?

    Alex.
     
    AM, Apr 13, 2005
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.