Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Why I have to ping from inside to outside first ?

Status
Not open for further replies.
Adr3nalin

Adr3nalin

MIS
Joined
Aug 4, 2002
Messages
57
Location
NZ
Why I have to ping from inside server to the dmz first before the dmz server could ping to the inside server ?

i need to do it for every servers reside in inside.

but from the pix console, i could ping to the inside everytime the PIX is initialize
i have this problem everytime i reboot the PIX.
thanks for your help.
 
Sort by date Sort by votes
What's happening is the arp broadcast is not getting to the inside network. If you ping from the inside out (to DMZ), the PIX can put the MAC address to IP mapping in it's arp table. The PIX is then passing the ping. When you reboot, the arp table gets cleared, and you have to start over.

But you asked, "Why?". I'd have to see your config to comment more, and right now I'm not in my lab where I could confirm my ideas...perhaps Yizhar???

-gbiello
 
Upvote 0 Downvote
Thanks for your answer,

quite interesting thinking,
why pix do not store the server's MAC in its ARP table,
when the inside server responds the ping from the pix console ?

if i have to ping all inside servers, to dmz to make it works. beside there are some virtual ip address, frm SQL
right now i have the internal virtual ip address from SQL Cluster, and i don't know how to make this virtual device could ping to the PIX box... :p quite complicate, isn't it ?

i use nat 0 and access list, to make the inside ip address accessible from dmz, the access-list is allow all icmp type from dmz to inside.


please find the following config:
...

mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside pix1out-ext 255.255.255.0
ip address inside pix1ins-int 255.255.255.0
ip address dmz pix1dmz-int 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 share-dmz 255.255.255.0 0 0
nat (inside) 0 inside1-net 255.255.255.0 0 0
nat (inside) 0 inside2-net 255.255.255.0 0 0

access-group acl-out in interface outside
access-group acl-dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 dtfirewall-ext 1
route inside 10.0.0.0 255.255.255.0 dtatm-int 1
route inside share-dmz 255.255.255.0 172.24.220.126 1
route inside inside2-net 255.255.255.0 dtatm-int 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Miluis
  • Locked
  • Question Question
How necessary is an antivirus?
Replies
3
Views
597
Rick998
Rick998
Sparrow4
  • Locked
  • Question Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
1K
Johnkite
Johnkite
Tommy_T
  • Locked
  • Question Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
973
nnaarrnn
nnaarrnn
XLNTech1
  • Locked
  • Question Question
iptables port forwarding
Replies
0
Views
844
XLNTech1
XLNTech1

Part and Inventory Search

Sponsor

Back
Top