Okay guys, I am really hoping I am just forgetting something really basic but this is killing me.
I have a PIX 515 behind a 7206 that is at our IDC in Dallas.
Behind my internet pix, off the inside interface is another PIX. The two are VPN'd. There is no issue with this part of the config. i just mention it so you will know where my sec100(inside) interface is pointed.
Hanging off the dmz(50) interface of the outside pix, is a switch, and a pair of servers.
(80,443,icmp permitted from DMZ out)
Their ip's are 10.30.11.2 and 10.30.11.3.
Their gateway is the DMZ interface of .1 in this /24.
These 10'net addresses are static trans'd to the outside to public ip's.
There is no problem with connectivity in to the web services on these servers.
Now, I have added another dmz called "Carroll" to this pix. It is a sec25 interface and has an ip of 10.30.250.1/30.
There is a 1701 attached to this via ethernet and has an IP of 10.30.250.2/30.
Here is where my issue lies. I have 2 WAN sites that I can reach from this P2P circuit. I can reach a remote 10.10.10.1 site and I can reach a remote 10.20.60.1 site. Those sites can also reach this 1701.
From the console on the 1701 can reach the servers on the DMZ(50).
The servers on the DMZ(50) cannot ping out to the 1701.
doing a debug of ICMP TRACE shows my pings from the remote 10.x.x.x sites hitting the Carroll interface but not making it back out to the remote site. I have route maps on the 2nd hop out allowing only 10.10.10.x and 10.10.11.x traffic into the 1701 as a next-hop. The 1701's dgw is the remote serial link, it has statics in place to route anything destined for 10.30.11.x into the pix.
Any ideas?
Could the pix be trying to translate the reply packets back to 10.10.11.x since there is a static in place.
When I do a debug packet Carrol dst 10.30.11.2 I get
10.10.11.x===>10.30.11.2===>"my public ip trans."
-----------------------config info------
sh ip
ip address outside x.x.x.x x.x.x.x
ip address inside 10.30.70.1 255.255.255.0
ip address dmz 10.30.11.1 255.255.255.0
ip address alteon 10.30.200.1 255.255.255.0
ip address intf4 127.0.0.1 255.255.255.255
ip address Carrollton 10.30.250.1 255.255.255.252
sh route
outside 0.0.0.0 0.0.0.0 x.x.x.x
Carrol 10.10.11.0 255.255.255.0 10.30.250.1
dmz 10.30.11.0 255.255.255.0 10.30.11.1
inside 10.30.50.0 255.255.255.0 10.30.70.2
inside 10.30.60.0 255.255.255.0 10.30.70.2
inside 10.30.70.0 255.255.255.0 10.30.70.1
alteon 10.30.200.0 255.255.255.0 10.30.200.1
Carrol 10.30.250.0 255.255.255.252 10.30.250.1
sh static
static (inside,outside) x.x.x.x 10.30.50.2
static (dmz,outside) x.x.x.x 10.30.11.3
static (alteon,outside) x.x.x.x 10.30.200.2
static (inside,alteon) 10.30.50.0 10.30.50.0
static (inside,alteon) 10.30.60.0 10.30.60.0
static (dmz,Carrollton) 10.30.11.0 10.30.11.0
static (dmz,outside) x.x.x.x 10.30.11.2
Any help is appreciated.
RJ45100BT
I have a PIX 515 behind a 7206 that is at our IDC in Dallas.
Behind my internet pix, off the inside interface is another PIX. The two are VPN'd. There is no issue with this part of the config. i just mention it so you will know where my sec100(inside) interface is pointed.
Hanging off the dmz(50) interface of the outside pix, is a switch, and a pair of servers.
(80,443,icmp permitted from DMZ out)
Their ip's are 10.30.11.2 and 10.30.11.3.
Their gateway is the DMZ interface of .1 in this /24.
These 10'net addresses are static trans'd to the outside to public ip's.
There is no problem with connectivity in to the web services on these servers.
Now, I have added another dmz called "Carroll" to this pix. It is a sec25 interface and has an ip of 10.30.250.1/30.
There is a 1701 attached to this via ethernet and has an IP of 10.30.250.2/30.
Here is where my issue lies. I have 2 WAN sites that I can reach from this P2P circuit. I can reach a remote 10.10.10.1 site and I can reach a remote 10.20.60.1 site. Those sites can also reach this 1701.
From the console on the 1701 can reach the servers on the DMZ(50).
The servers on the DMZ(50) cannot ping out to the 1701.
doing a debug of ICMP TRACE shows my pings from the remote 10.x.x.x sites hitting the Carroll interface but not making it back out to the remote site. I have route maps on the 2nd hop out allowing only 10.10.10.x and 10.10.11.x traffic into the 1701 as a next-hop. The 1701's dgw is the remote serial link, it has statics in place to route anything destined for 10.30.11.x into the pix.
Any ideas?
Could the pix be trying to translate the reply packets back to 10.10.11.x since there is a static in place.
When I do a debug packet Carrol dst 10.30.11.2 I get
10.10.11.x===>10.30.11.2===>"my public ip trans."
-----------------------config info------
sh ip
ip address outside x.x.x.x x.x.x.x
ip address inside 10.30.70.1 255.255.255.0
ip address dmz 10.30.11.1 255.255.255.0
ip address alteon 10.30.200.1 255.255.255.0
ip address intf4 127.0.0.1 255.255.255.255
ip address Carrollton 10.30.250.1 255.255.255.252
sh route
outside 0.0.0.0 0.0.0.0 x.x.x.x
Carrol 10.10.11.0 255.255.255.0 10.30.250.1
dmz 10.30.11.0 255.255.255.0 10.30.11.1
inside 10.30.50.0 255.255.255.0 10.30.70.2
inside 10.30.60.0 255.255.255.0 10.30.70.2
inside 10.30.70.0 255.255.255.0 10.30.70.1
alteon 10.30.200.0 255.255.255.0 10.30.200.1
Carrol 10.30.250.0 255.255.255.252 10.30.250.1
sh static
static (inside,outside) x.x.x.x 10.30.50.2
static (dmz,outside) x.x.x.x 10.30.11.3
static (alteon,outside) x.x.x.x 10.30.200.2
static (inside,alteon) 10.30.50.0 10.30.50.0
static (inside,alteon) 10.30.60.0 10.30.60.0
static (dmz,Carrollton) 10.30.11.0 10.30.11.0
static (dmz,outside) x.x.x.x 10.30.11.2
Any help is appreciated.
RJ45100BT