Static Map from DMZ don't work

[netchaser]

Hi,

I am having problem Static Mapping from my DMZ to another network. It seems to work from DMZ to the Inside. Here's my code...

Problem : trying to map 10.4.10.1 (10.4.10.x network) from DMZ (192.168.9.x network) via static map with no NAT

------------Interface level--------
nameif ethernet2 other security10
nameif ethernet3 dmz security5
----------------------------------

------------IP-----------------
ip address other 10.4.10.3 255.255.255.0
ip address dmz 192.168.9.1 255.255.255.0
-------------------------------------------

------------Route----------------
route other 10.0.0.0 255.0.0.0 10.4.10.1 1
------------------------------------

------------Access List ------------
access-list 188 permit icmp any any
access-list 200 permit icmp any any

------------Bound to----------------
access-group 200 in interface other
access-group 188 in interface dmz
------------------------------------

------------Static Map--------------
static (other,dmz) 10.4.10.1 10.4.10.1 netmask 255.255.255.255 0 0
-------------------------------------

 

[kmills]

netchaser,

In your Static Map statement, you have mapped 10.4.10.1 to itself.

Try mapping
static (other,dmz) 10.4.10.1 192.168.9.1 netmask 255.255.255.255 0 0

kmills

 

[netchaser]

Hey kmills,

if I map 10.4.10.1 to itself it should be accessible from the 192.168.9.x network.

But anyways, I've tried mapping it to 192.168.9.1 as well but it's still no go...

Thanks!

 

[kmills]

So, you want your users on the inside to type in 10.4.10.1 which will take them to 192.168.9.1?

 

[netchaser]

Actually, I want the users in teh 192.168.9.x to access a box in the 10.4.10.x.

192.168.9.x is NOT the inside network. It's the DMZ.

10.4.10.x is NOT the inside or outside. It's another interface on the Pix.

Security levels are
192.168.9.x is 5
10.4.10.x is 10

So bascially I want to static map from 192.168.9.x to 10.4.10.x but it doesn't work. I can static map successfully from 192.168.9.x to my inside network with no problem.

Thanks,

 

[Supergrrover]

Post your whole config (minus passwords and mask the middle 2 octets of public IPs.)


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[netchaser]

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 other security10
nameif ethernet3 dmz security5
access-list 80 permit ip 192.168.128.0 255.255.255.0 192.168.128.0 255.255.255.0
access-list 108 permit icmp any any
access-list 200 permit icmp any any
access-list 188 permit icmp any any
access-list 188 permit tcp any any
access-list 188 permit udp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu other 1500
mtu dmz 1500
ip address outside x.x.x.x 255.255.255.0
ip address inside 192.168.128.1 255.255.255.0
ip address other 10.4.10.3 255.255.255.0
ip address dmz 192.168.9.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (other) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,dmz) 192.168.128.5 192.168.128.5 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.128.7 192.168.128.7 netmask 255.255.255.255 0 0
static (other,dmz) 10.4.9.1 10.4.9.1 netmask 255.255.255.255 0 0 (THIS DOESN'T WORK, dunno why)

access-group 108 in interface outside
access-group 200 in interface other
access-group 188 in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route other 10.0.0.0 255.0.0.0 10.4.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

----The rest are just VPN info----------

Thanks,

 

[Supergrrover]

You are only allowing ICMP into the "other" interface. Is that just what you are testing or are you using actual traffic?

This line also might be interfering
route other 10.0.0.0 255.0.0.0 10.4.10.1 1


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[netchaser]

Yes, just for test "pinging" for the icmp.

The strange thing is, 10.4.10.1 is physcially connected to the 10.4.10.3 interface.

Thanks,

 

[Supergrrover]

What kind of cable, cross-over or straight through?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[netchaser]

just via net cable (not serial).

I can go from the Inside interface Via NAT but I can't really get to it from the DMZ via static Map

 

[netchaser]

I have taken out the

route other 10.0.0.0 255.0.0.0 10.4.10.1 1

but still no go.

Kind of a strange problem.

 

[liumen]

you can change "static (other,dmz) 10.4.9.1 10.4.9.1 netmask 255.255.255.255 0 0 " to "static (dmz,other) 10.4.9.1 10.4.9.1 netmask 255.255.255.255 0 0

 

[netchaser]

Hello Liumen,

I think the static map statement goes by the syntax...

Static ( Real Interface, Mapped Interface ) Mapped_IP Real_IP Real_IP_Netmask Max_connection Connection_limt

so if I want to go from DMZ to Other it will be

static (other, dmz) 10.4.10.1 10.4.10.1 netmask 255.255.255.255 0 0

Thanks,