proxy squid in a DMZ

Showing results for 
Show  only  | Search instead for 
Did you mean: 

proxy squid in a DMZ

Not applicable


I put a squid proxy in the DMZ zone with address
it is connected to the PAN -
and I trust zone to the untrust lan and another to the internet
and I can not ping the proxy from the lan

interface pan to lan

my ip address

i dont know the route that i would make it


L4 Transporter


Please correct me if I am drawing the wrong topology

Proxy ( PAN ( -------LAN-------( Client

I am expecting there is no nat configured in between and the Client has a Gateway as i.e. PAN's trust interface

You need to check the following:

1) There should be security policy allowing the connection to go through from LAN to DMZ

2) Check if you can ping the gateway (i.e. LAN interface) from the client

3) Check if you can ping the proxy server from the PAN, use the following command on CLI:

PAN> ping source host

4) If you are note getting any response, you should check the gateway or route on the proxy server, you can also try to ping from the proxy server

5) Check the arp entries on both the interface

PAN> show arp ethernet1/x

Let us know the results.



Some additional comments on previous points:

1) As a test (if possible) you could setup a security rule that acts just on src/dstzone such as:

srczone: LAN
dstzone: DMZ
appid: any
serviceport: any
user: any
action: allow

and then (when you identified what was incorrect and fixed it) limit it down to correct appid/serviceport.

2) If the LAN interface is on the PAN you need to setup a management profile aswell that will allow the LAN interface to be pinged at.

3) I think the following will work better 😉

ping source host

4) In my experience this is quite common (given the symptomes presented).

Verify that the client have the LAN-interface of the PAN as defgw ( and also that the proxy have the DMZ-interface of the PAN as defgw ( Also verify again that you have correct ip-addresses AND netmasks on both proxy and client (so it doesnt say instead of or such).

Easiest is to just run "netstat -rn" to see current routing table.

Since both proxy and client are "directly attached" you wont need additional routing rules in the PAN box. However if you have linknets then you would need to add additional routes in "virtual router" in the PAN.

5) Also check the arp entries on the proxy and client itself such as "arp -a" or "arp -an".

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!