Connectivity problem w. DMZ interface

[psavin]

I'm setting up my first DMZ on my PIX 515E, and I can't seem to get the IP routing working. The DMZ interface IP address is x.39.9.129 255.255.255.128, and I'm not using NAT on any of the interfaces (static translations of all routable IPs).

When I try to ping any of the other interfaces from the DMZ interface I get no reply. I can connect a computer directly to the DMZ interface with a crossover cable and ping it, but obvously still can't get to any other interfaces. I guess I have a missing route causing the trouble, but can't seem to figure it out! Here are the relevant (I think) configs:

cygnus(config)# sh ip
System IP Addresses:
ip address outside 192.64.1.122 255.255.255.0
ip address inside 134.39.9.2 255.255.255.0
ip address dmz 168.156.9.129 255.255.255.128

cygnus(config)# sh route
outside 0.0.0.0 0.0.0.0 x.x.1.121 1 OTHER static
inside x.39.9.0 255.255.255.0 x.39.9.2 1 CONNECT static
dmz x.156.9.128 255.255.255.128 x.156.9.129 1 CONNECT static
outside x.64.1.0 255.255.255.0 x.64.1.122 1 CONNECT static

cygnus(config)# sh static
static (inside,outside) x.39.9.0 x.39.9.0 netmask 255.255.255.0 0 0 norandomseq
static (dmz,outside) x.156.9.128 x.156.9.128 netmask 255.255.255.128 0 0

What am I missing? Thanks!

 

[KiscoKid]

Probably an access list problem. Check what access groups are in use with 'show access-group'. You may need to apply the specific access lists these groups call upon to get ICMP to flow properly through the interfaces required.

If you're not sure, paste a copy of your PIX config on here, specifically the bits that show the access groups and access lists.

 

[psavin]

Thanks for the reply. The only acl that applies to the DMZ is the one I put in for ping testing (and of course the implicit allow any outbound traffic):

access-list ping_acl permit icmp any any
access-group ping_acl in interface dmz

I did some more fiddling and realized that I can access hosts on the inside interface from the computer connected to the DMZ interface. But I can't get to the internet, there seems to be no route through the outside interface?

I have tons of acls bound to the outside interface for access to various hosts on the inside, but none that would apply to x.156.9.128/26 (the DMZ), and none that explicitly deny any traffic anywhere.

 

[KiscoKid]

Your routing on the outside seems to be in place as you have a route (outside 0.0.0.0 0.0.0.0 x.x.1.121 1 OTHER static) that points to presumably your router on x.x.1.121.

With the ACL you've defined for the DMZ and the implicit allow any rule for inside hosts, I'd expect that DMZ and inside hosts should be able to ping one another.

If you want either DMZ or inside hosts to ping outside/internet hosts, you'll need to ensure there is an entry in the access list on the outside that permits icmp any any eq echo reply

This allows ping replies back in through the PIX that were generated from the DMZ or inside interfaces.

 

[psavin]

That's what I would have thought, except that it's not working. I cannot ping any of the interfaces from the DMZ, nor can I ping the DMZ interface.

Could it be a configuration problem with the router at x.x.1.121 (which I don't have direct access to)? Maybe it won't route x.156.9.128/26?

Is there anything else I should be looking for?

 

[KiscoKid]

You can only ping a PIX interface on the side you're pinging from, i.e. if you're on the inside you can ping the inside interface but you can't ping the other interfaces. A better test is to ping devices (assuming the access list permits it) attached to the PIX.

It could be an issue with the router attached to the outside interface as you say. It will definetly need a route for your DMZ range for devices on that network to be accessible.

 

[kmills]

I believe you have to NAT those dmz addresses to themselves on the outside interface to get them through the firewall. At least, I have to on ours.

 

[psavin]

I have a nat (dmz) 0 0 0 statement. This is what you mean?

 

[kmills]

No, I have always had to add the following for the 1 to 1 relationship, in addition to the nat (dmz) 0 0 0 statement.

static (dmz,outside) x.y.z.w x.y.z.w netmask 255.255.255.255 0 0

I noticed you were using a different netmask in your static NAT.

Also, can you connect with something other than ping? I have terrible time with ping.

 

[psavin]

I think your second static nat statement is not required? It appears to do the same 1 to 1 translation that the "nat (dmz) 0 0 0" statement does, but just on the single host (because of the 255.255.255.255 netmask).

Using the 0.0.0.0 0.0.0.0 IP and netmask with the nat statement just tells the pix to do a 1 to 1 translation on all addresses, you shouldn't have to get more specific than that.

In any case, I did figure out the problem - it was actually working fine, but I had failed to open up ACLs to my DNS server on the inside, so couldn't do any lookups to access outside hosts. Still can't ping anything, but after opening up DNS to the inside interface I can get to the outside world.

 

[kmills]

psavin,
Great! Glad you got it solved.
I just know what works on my box.