Communication between 2 DMZ hosts on PIX 515E

I am trying to telnet into a router which resides on my DMZ network from a host that resides on a remote DMZ network. The subnet of the DMZ is 192.168.191.0/24 the ip of the router im trying to telnet into is 192.168.191.3. the host i am connecting from is 172.16.3.22 which is connecting via a firewall (the firewall is allowing all IP traffic) plugged into the DMZ at 192.168.191.2. I can ping 192.168.191.3 from 172.16.3.22, however, when i try to initiate a telnet session I get rejected. There are no acl's on the router which are blocking telnet.  Is there something I need to do to allow these 2 dmz hosts to communicate? I believe pix doesn't allow interfaces with the same security level to communicate, is there a way around this?
cruzer8504Asked:
Who is Participating?
 
hawgpigCommented:
cruzer,
You say you can ping but you can't connect....this is a good sign that there is an issue with the server or computer you are trying to telnet to....

use a syslog server to find your problem
Here is a down and dirty set up...
These links might help.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/syslog/pixemint.htm

This is a freeware syslog server software....It is the second link down (3dv2r10.exe) at the first link;
http://www.ncat.co.uk/Download/
http://www.kiwisyslog.com

Syslog Error messages.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm


Here is the setup in a nut shell
Install the syslog serversoftware on an internal host.
Type the following at the console
logging host inside 192.168.1.5 <(internal static IP address where you installed the Syslog server software)
logging trap 7
logging on
write mem

Make sure you do a
no logging on (turns off logging)
after testing
or do a
logging trap warnings (lowers the logging level to 4)
or
logging trap notifications (lowers the logging level to 5)
OR
Turn off loggin all together
no logging on
Don't forget a
write mem

When you get the syslog look for a "build up" connection that is coming from your computer on the outside...then watch for the teardown that is associated with the connection number.

at the end of the teardown line there will be something that sayes RESET-I, Reset-O, SYN TIMEOUT, etc....
let me know what you find...
good luck

0
 
lrmooreCommented:
Let me see if I get this right:

<Outside
PIX Fw -- >DMZ<-->Router (192.168.191.3)
<Inside       \
                  Firewall (192.168.191.2)
                        \
                      host (172.16.3.22)

Close?
0
 
cruzer8504Author Commented:
Yes, that is correct
0
 
hawgpigCommented:
if you don't see any "build ups" look for a DENY on the address that you are coming from...
Good Luck...
0
 
lrmooreCommented:
Are you still working on this? Do you need more information?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.