can't ping from DMZ to Inside

[wisper]

I can't ping from my DMZ to my Inside Computers. I can ping my DMZ computers from the inside though. Here is a copy of my config. Someone please help.

PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password WIWDR7hWs0b/LYxW encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol domain 53
names
access-list dmz permit ip any any
pager lines 24
pager lines 24
logging on
logging host inside 10.1.0.7
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside ccc.ccc.ccc.2 255.255.255.0
ip address inside bbb.bbb.bbb.1 255.255.255.0
ip address dmz aaa.aaa.aaa.17 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 ccc.ccc.ccc.12-ccc.ccc.ccc.254
global (dmz) 1 aaa.aaa.aaa.17-aaa.aaa.aaa.30 netmask 255.255.255.240

nat (inside) 1 bbb.bbb.bbb.0 255.255.255.0 0 0
nat (dmz) 1 aaa.aaa.aaa.0 255.255.255.0 0 0

static (dmz,outside) ccc.ccc.ccc.11 bbb.bbb.bbb.20 netmask 255.255.255.255 0 0

static (dmz,outside) ccc.ccc.ccc.5 bbb.bbb.bbb.19 netmask 255.255.255.255 0 0

static (inside,outside) ccc.ccc.ccc.3 bbb.bbb.bbb.3 netmask 255.255.255.255 0 0

static (inside,dmz) bbb.bbb.bbb.0 bbb.bbb.bbb.0 netmask 255.255.255.255 0 0

access-group dmz in interface dmz
access-group dmz in interface outside
conduit permit tcp host ccc.ccc.ccc.5 eq smtp any
route outside 0.0.0.0 0.0.0.0 ccc.ccc.ccc.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
crypto map mymap 30 ipsec-isakmp
telnet timeout 5
ssh timeout 5
terminal width 80

Thanks Chris

 

[yizhar]

HI.

It is good and by design that the DMZ servers cannot ping the internal hosts.
It is the same idea that prevents outside hosts from pinging protected hosts in DMZ or inside.

> access-list dmz permit ip any any
> access-group dmz in interface dmz
> access-group dmz in interface outside
This is just for the test, right?

> static (inside,dmz) bbb.bbb.bbb.0 bbb.bbb.bbb.0 netmask 255.255.255.255
If you want this to work, you'll need to use a subnet mask of 255.255.255.0 .
Another way is to use "nat (inside) 0 access-list ...",
but the best way is not to allow DMZ hosts to access the internal network, or at least minimize that access using only static for internal servers that you need access to (from dmz to inside), and only open the ports that you realy need (like SQL).

Remember the basic idea of DMZ which means that hosts in DMZ cannot initiate connection to the internal network.
I know that it is not always that way, but people sometimes tend to forget the purpose of these additional interfaces.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar