DMZ Issue: Pings from internal network, nothing from external.

[jcanuk]

Hopefully someone can help with this issue.. It has been nagging on me a while now.

Network setup is
10.2.2.0/24 (DMZ)
Internal |
10.1.1.0/24 ----------PIX------Internet

I am trying to set up a simple static translation from 10.2.2.2 to an external address, 1.2.3.99

Here are the essential parts of my config file on 6.2(2)

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50

# Access list statements are for a site to site vpn and client vpn as well..
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.7.0 255.255.255.0
access-list nonat permit ip 10.1.0.0 255.255.0.0 10.3.1.0 255.255.255.0
access-list nonat permit ip host 1.2.3.98 10.3.1.0 255.255.255.0
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.3.1.0 255.255.255.0
access-list vpn_in permit ip 10.1.0.0 255.255.0.0 10.3.1.0 255.255.255.0
access-list outside_cryptomap_dyn_25 permit ip any 10.3.1.0 255.255.255.0

pager lines 24

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
ip address outside 1.2.3.98 255.255.255.240
ip address inside 10.1.1.10 255.255.255.0
ip address dmz 10.2.2.1 255.255.255.0
arp timeout 14400

global (outside) 1 interface
global (dmz) 1 10.2.2.30-10.2.2.254 netmask 255.255.255.0

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 10.2.2.0 255.255.255.0 0 0

static (dmz,outside) 1.2.3.99 10.2.2.2 netmask 255.255.255.255 0 0

conduit permit icmp host 1.2.3.99 any
conduit permit tcp host 1.2.3.99 eq

http://www any

-------------

Tests I have performed, and results.

Ping of 10.2.2.2 from internal (10.1.1.0/24) host = successful
ping of 1.2.3.99 from internet = failed

debug packet dmz shows that the translation is being properly performed, as I get packets showing up at the dmz interface destined for 10.2.2.2 from the internet host... problem is I never receive packets from the 10.2.2.2 host returning to sender...

I have cleared the arp tables... etc... not really sure at this point any help is appreciated

 

[bwilliam13]

Couple problems with your config.

1. You're using access lists and conduits in the same config. Big no-no. Not saying it shouldn't work, but there's also no reason why it should. You're just lucky I guess.

2. You have to explicitly enable ICMP on every interface in question. In other words, you not only need to allow ICMP on your public IP address, but you also need to allow ICMP access on the internal or DMZ IP address it is being translated to.

Specifically:

conduit permit icmp host 10.2.2.2 any

By default, all services are disabled. You have to explicity enable them on every applicable interface.

 

[jcanuk]

Thanks Bwilliam,

Actually I am insane, it turned out to be a problem on the TCP/IP stack of the novell server that was out there... replaced it with a Wxp box for testing and everything worked perfectly.

Thanks for the advice.