Screen OS

Hi,

I can ping the DMZ interface from outside but i cannot ping the server connected to dmz..please see the config attached.

Thanks

Labhesh

Attachment(s)

cfg.txt   6 KB 1 version

can anybody help me with this issue pleasE??

Your untrust zone interface and your DMZ interface are using IP addresses in the same subnet -- that's not going to work.

You also have a Trust->Untrust policy that is a "permit all" at the top (id 1) and is going to shadow all your other 4 Trust->Untrust policies.  That doesn't have anything to do with the problem you're asking about -- but it will be a problem for you later if you expect the policy logging on those other policies to work.

I have assigned 192.168.3.1/24 to eth 0/1 interface and did a mip to 75.99.134.74 which is eth 0/0

i am attaching you the new config....

what is the ideal solution ....to put my webserver in dmz ......??

please help

thanks for replying

Attachment(s)

cfg (1).txt   6 KB 1 version

It's hard to say what the ideal solution would be for you without knowing more about your environment and what you're needs and goals are.

The MIP is a good starting point, but I would use one of the other IPs in the 75.99.134.72/29 (.72 - .79) address space that you apparently have allocated for your MIP instead of the firewall's interface IP.

i did assign different external interface to map it to my webserver 

but my server still cannot access the internet..i am attching the config file again

Attachment(s)

cfg (2).txt   6 KB 1 version

Take the SRC-NAT off of your DMZ->Untrust policy (policy id 7).

Using a MIP, the firewall will handle NAT in both directions.

i took it off.....

also my webser connected to DMZ has ip address 192.168.3.2 with gateway 192.168.3.1 .. is that correct...

i still cannot access the internet

Attachment(s)

cfg (3).txt   6 KB 1 version

I also see two default routes:

set route 0.0.0.0/0 interface ethernet0/0 gateway 75.99.134.73
set route 0.0.0.0/0 interface tunnel.1

Take out the second one...  your route-based VPN route needs to be something [much] more specific than a default 0.0.0.0/0 route.

i removed the second default route but still no luck....

my eth0/1 is set to interface mode route 

and eth0/0 is set to NAT

is that corrrect..

from my webserver i cannot ping anything ( not 75.99.134.76 nor 75.99.134.73) but i can ping 75.99.134.76 from the internet

please help

thanks for your reply

Labs

Attachment(s)

cfg (4).txt   6 KB 1 version

Try putting your eth0/0 interface in Route mode.

I feel like now might be a good time to ask if you've read through the ScreenOS documentation?  Much of this is covered with explanations and examples in the documentation.

yes!! i did the read the documentation. 

i added policy from dmz to untrust to any any any and tht did the trick..

some reason policy MIP to any pplicy wasnt allowing the traffic. for dmz to untrust

It works now...

Thanks for your reply

LAbs

i cannot ping from dmz to trust now...

any idea?

Did you add a policy from DMZ -> Trust?

yes i did!!

its any any any ..just for testing purposes...then i will lock it down...still with any any any ....i can ping 1.24 network from dmz

thanks

i m attching the config

Attachment(s)

cfg (6).txt   6 KB 1 version

Try checking the policy logs.  You have every policy configured with logging, so the logs should show you if traffic is flowing.

You can also start using debugs to trace packets and see if they're being forwarded or dropped.

Here is a KB Article that should get you started.

If you need further assistance, please provide a network diagram that includes the appropriate networks, endpoints, etc., and also provide some log and/or debug flow output in addition to your current configs.

I got everything working. Thanks for all your help.

Regards,

Labhesh