Well I will take it that you didn't include the "ip address x.x.x.x
x.x.x.x" commands for convience.
I was looking for the NAT commands. They look okay. I can't identify one
problem with this although I have to admit that last year I had the same
problem.
Your global perimeter and nat perimeter ip ranges are a bit strange. Why
do you give one a range yet the other no range and they might possibly
overlap?
Try eliminating the Conduit commands. I assume that you are in a testing
phase and are pinging from 192.168.11.x to 66.x.x.x. Again, this
shouldn't affect anything because you are able to browse and therefore you
should be able to access the DMZ just the same way as the outside
interface.
You don't have any thing here to permit traffic originating from the DMZ
to access your Interal LAN.
Keep on going, I got to go to Starbucks for a while.
Theo
"Guruprasad Sanjeevi"
10/15/2002 02:34 PM
To: "'Theodore Stout'"
cc:
Subject: RE: With PIX unable to reach DMZ from LAN [7:55608]
Hi theo, and all,
I am giving the configuration.
global (outside) 1 66.x.x.x - 66.x.x.x netmask 255.255.255.224
global (perimeter) 1 192.168.23.10-192.168.23.20
nat (inside) 1 192.168.11.0 255.255.255.0 0 0
nat (perimeter) 1 192.168.23.0 255.255.255.0 0 0
static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0
static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0
static (inside, perimeter) 192.168.23.0 192.168.11.0 netmask 255.255.255.0
0 0 ? If I am not wrong , this command enables the communication between
LAN and DMZ, but here it fails?.
conduit permit tcp host 66.x.x.x eq x any
conduit permit icmp host 192.168.11.x any
conduit permit tcp host 66.x.x.x eq x any
conduit permit tcp host 66.x.x.x eq sqlnet any
route outside 0.0.0.0 0.0.0.0 66.x.x.x 1
I
What is that companion command ? Please help
Regards
Guruprasad
-----Original Message-----
From: Theodore Stout [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 15, 2002 10:21 AM
To: Guruprasad Sanjeevi
Subject: Re: With PIX unable to reach DMZ from LAN [7:55608]
you will need to explictedly grant permission for the DMZ to communicate
to the Internal since lower security interfaces are automatically blocked
Higher ones.
Can you access from the Outside? Try it and see.
Can you print out the config without the real IPs? You need to have a
companion command to the Static command and I would like to see if you
have it.
Cheers,
Theo
"Guruprasad Sanjeevi"
Sent by: [EMAIL PROTECTED]
10/15/2002 03:29 AM GMT
Please respond to "Guruprasad Sanjeevi"
To: [EMAIL PROTECTED]
cc:
bcc:
Subject: With PIX unable to reach DMZ from LAN [7:55608]
Hi group,
I am trying to configure PIX .It has 3 Ethernet Interface and three
networks are used.
LAN (inside) : 192.168.11.0
DMZ (perimeter)) : 192.168.23.0
Outside:66.x.x.x
Problem : users from Inside and Perimeter network are able to browse, but
the inside and Perimeter network cannot talk to each other. I have given
the
static command like this
Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0
What other command is required on the PIX to enable communication from
INSIDE network to DMZ(perimeter) and vice-versa.
Please help....
Thanks
Guruprasad
[GroupStudy.com removed an attachment of type application/ms-tnef which
had
a name of winmail.dat]
=
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55615&t=55608
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
