Improve company productivity with a Business Account.Sign Up

x
?
Solved

Communication between 2 DMZ hosts on PIX 515E

Posted on 2004-04-05
7
Medium Priority
?
420 Views
Last Modified: 2010-04-08
I am trying to telnet into a router which resides on my DMZ network from a host that resides on a remote DMZ network. The subnet of the DMZ is 192.168.191.0/24 the ip of the router im trying to telnet into is 192.168.191.3. the host i am connecting from is 172.16.3.22 which is connecting via a firewall (the firewall is allowing all IP traffic) plugged into the DMZ at 192.168.191.2. I can ping 192.168.191.3 from 172.16.3.22, however, when i try to initiate a telnet session I get rejected. There are no acl's on the router which are blocking telnet.  Is there something I need to do to allow these 2 dmz hosts to communicate? I believe pix doesn't allow interfaces with the same security level to communicate, is there a way around this?
0
Comment
Question by:cruzer8504
  • 2
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10759459
Let me see if I get this right:

<Outside
PIX Fw -- >DMZ<-->Router (192.168.191.3)
<Inside       \
                  Firewall (192.168.191.2)
                        \
                      host (172.16.3.22)

Close?
0
 

Author Comment

by:cruzer8504
ID: 10759655
Yes, that is correct
0
 
LVL 4

Accepted Solution

by:
hawgpig earned 300 total points
ID: 10761938
cruzer,
You say you can ping but you can't connect....this is a good sign that there is an issue with the server or computer you are trying to telnet to....

use a syslog server to find your problem
Here is a down and dirty set up...
These links might help.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/syslog/pixemint.htm

This is a freeware syslog server software....It is the second link down (3dv2r10.exe) at the first link;
http://www.ncat.co.uk/Download/
http://www.kiwisyslog.com

Syslog Error messages.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm


Here is the setup in a nut shell
Install the syslog serversoftware on an internal host.
Type the following at the console
logging host inside 192.168.1.5 <(internal static IP address where you installed the Syslog server software)
logging trap 7
logging on
write mem

Make sure you do a
no logging on (turns off logging)
after testing
or do a
logging trap warnings (lowers the logging level to 4)
or
logging trap notifications (lowers the logging level to 5)
OR
Turn off loggin all together
no logging on
Don't forget a
write mem

When you get the syslog look for a "build up" connection that is coming from your computer on the outside...then watch for the teardown that is associated with the connection number.

at the end of the teardown line there will be something that sayes RESET-I, Reset-O, SYN TIMEOUT, etc....
let me know what you find...
good luck

0
 
LVL 4

Expert Comment

by:hawgpig
ID: 10761948
if you don't see any "build ups" look for a DENY on the address that you are coming from...
Good Luck...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10807743
Are you still working on this? Do you need more information?
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
This article is about building a VRF-Aware site to site VPN tunnels in Cisco CSR1000V router with IOS XE. There are two VRF-Aware Policy Based IPsec VPN tunnels configured on CSR1000V router one with NAT and another without NAT.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question