Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

traffic not passing between DMZ interfaces

Status
Not open for further replies.
brea

brea

IS-IT--Management
Nov 15, 2002
86
US
I'm having a problem getting syslog traffic to pass between to DMZ interfaces on a PIX. Here are the details.

DMZ1
security 6
inbound ACL (traffic1) applied
Nat (global) 1 interface applied
nat (dmz1) 1 10.10.10.1 255.255.255.0 0 200 applied

DMZ2
security 8
inbound ACL (traffic2) applied
nat (dmz2) 1 10.10.20.1 255.255.255.0 0 200 applied

Host 1 - syslog collector (accepts all syslog messages)
IP - 10.10.20.24

Host 2 - router -
IP - 10.10.10.25
configured to send syslog to 10.10.20.24

traffic 1 acl (as logs are created the hit count on this ACL goes up)
access-list traffic1 permit udp host 10.10.10.25 host 10.10.20.24 eq 541

I never see the traffic on the syslog collector. When I run a packet debug I can see the traffic enter dmz1 but never leave on dmz2

- routing is not the problem as it is all connected routes.
 
Sort by date Sort by votes
First, make sure your ACL doesn't really say "eq 541".

Second, the hosts on DMZ1 can't see hosts on DMZ2 without nat. Try adding "static (DMZ2,DMZ1) 10.10.20.24 10.10.20.24 255.255.255.255"

 
Upvote 0 Downvote
541 was a typo on my part and I am working on trying to get the static to work.

It seems like it's not.
 
Upvote 0 Downvote
That doesn't work.
 
Upvote 0 Downvote
Try "show xlate" and see what's given for 10.10.20.24. Try to establish a connection, like telnet, from 10.10.20.24 to 10.10.10.25 and see a)if you can and b)what show xlate looks like.

You could also permit icmp from the router to the syslog host and run "debug icmp packet" (something like that- check syntax for debug). Then ping from the router to syslogger and watch the debug. Sometimes that gives hints.

If the NAT is set up and the ACL permits traffic, it certainly should work.
 
Upvote 0 Downvote
Here's the actual config I have in place.


nameif ethernet2 dmz1 security6
nameif ethernet3 dmz2 security8
global (dmz1) 1 interface
nat (dmz1) 1 192.168.161.0 255.255.255.0 0 200
nat (dmz2) 1 192.168.162.0 255.255.255.0 0 200
static (dmz2,dmz1) 192.168.162.24 192.168.162.24 netmask 255.255.255.255 0 0
access-group dmz1_acl in interface dmz1
access-group dmz1_acl in interface dmz2
access-list dmz1_acl permit udp host 192.168.161.25 host 192.168.162.24 eq syslog
access-list dmz1_acl permit udp host 192.168.161.26 host 192.168.162.24 eq syslog
access-list dmz1_acl permit udp host 192.168.161.27 host 192.168.162.24 eq syslog

 
Upvote 0 Downvote
Once I setup a nat 0 command with an access-list to ignore the traffic on the source DMZ it worked fine with the command you mentioned.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
92
Russtoleum
Russtoleum
handle2110
  • Locked
  • Question
Communication between interfaces
Replies
0
Views
64
handle2110
handle2110
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
102
kythri
kythri
disturbedone
  • Locked
  • Question
proxy.pac not working correctly in IE11
Replies
0
Views
83
disturbedone
disturbedone
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
75
gbayi_omo
gbayi_omo

Part and Inventory Search

Sponsor

Back
Top