Solved

Communication between 2 DMZ hosts on PIX 515E

Posted on 2004-04-05
7
413 Views
Last Modified: 2010-04-08
I am trying to telnet into a router which resides on my DMZ network from a host that resides on a remote DMZ network. The subnet of the DMZ is 192.168.191.0/24 the ip of the router im trying to telnet into is 192.168.191.3. the host i am connecting from is 172.16.3.22 which is connecting via a firewall (the firewall is allowing all IP traffic) plugged into the DMZ at 192.168.191.2. I can ping 192.168.191.3 from 172.16.3.22, however, when i try to initiate a telnet session I get rejected. There are no acl's on the router which are blocking telnet.  Is there something I need to do to allow these 2 dmz hosts to communicate? I believe pix doesn't allow interfaces with the same security level to communicate, is there a way around this?
0
Comment
Question by:cruzer8504
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10759459
Let me see if I get this right:

<Outside
PIX Fw -- >DMZ<-->Router (192.168.191.3)
<Inside       \
                  Firewall (192.168.191.2)
                        \
                      host (172.16.3.22)

Close?
0
 

Author Comment

by:cruzer8504
ID: 10759655
Yes, that is correct
0
 
LVL 4

Accepted Solution

by:
hawgpig earned 75 total points
ID: 10761938
cruzer,
You say you can ping but you can't connect....this is a good sign that there is an issue with the server or computer you are trying to telnet to....

use a syslog server to find your problem
Here is a down and dirty set up...
These links might help.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/syslog/pixemint.htm

This is a freeware syslog server software....It is the second link down (3dv2r10.exe) at the first link;
http://www.ncat.co.uk/Download/
http://www.kiwisyslog.com

Syslog Error messages.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm


Here is the setup in a nut shell
Install the syslog serversoftware on an internal host.
Type the following at the console
logging host inside 192.168.1.5 <(internal static IP address where you installed the Syslog server software)
logging trap 7
logging on
write mem

Make sure you do a
no logging on (turns off logging)
after testing
or do a
logging trap warnings (lowers the logging level to 4)
or
logging trap notifications (lowers the logging level to 5)
OR
Turn off loggin all together
no logging on
Don't forget a
write mem

When you get the syslog look for a "build up" connection that is coming from your computer on the outside...then watch for the teardown that is associated with the connection number.

at the end of the teardown line there will be something that sayes RESET-I, Reset-O, SYN TIMEOUT, etc....
let me know what you find...
good luck

0
 
LVL 4

Expert Comment

by:hawgpig
ID: 10761948
if you don't see any "build ups" look for a DENY on the address that you are coming from...
Good Luck...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10807743
Are you still working on this? Do you need more information?
0

Featured Post

Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question