i cant ping to my DMZ zone from the local inside PC
Edit: My answer below may be useful to someone running a version of the ASA or PIX operating system prior to 7.0, but probably isn't useful to the poster.
In versions 7.0 and up the nat-control
functionality I'm describing below is disabled (see http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml).
You don't have a nat (dmz) ...
for the DMZ network. By default an ASA won't pass traffic between networks if it doesn't cross a nat
(even if it's a nat (interface) 0
to prevent NAT from occurring).
Add some commands (assuming that you want outbound traffic from the DMZ to the Internet to be NAT'd and that you want traffic from the inside to the DMZ not to be NAT'd):
access-list inside_nat0_outbound 10.1.4.0 255.255.252.0 172.16.16.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (dmz) 1 0.0.0.0 0.0.0.0
That causes outbound traffic from the DMZ to be NAT'd, and bypasses NAT for traffic from the LAN subnet to the DMZ subnet.
Big Denzel
Updated on September 18, 2022Comments
-
Big Denzel over 1 year
HI everybody.
Can anyone please help me on the following issue. I got a Cisco Asa 5520 configured at my network.
I cant ping to my DMZ interface from a local inside network PC. so the only way a ping the DMZ is right from the Cisco ASA firewall, there i can pint to all 3 interfaces, Inside, Outside and DMZ,,,,
But no PC from the Inside Network can access the DMZ.
Can please any one help?
I thank you all in advance
Bellow is my Cisco ASA 5520 Firewall show run;
ASA-FW# sh run : Saved : ASA Version 7.0(8) ! hostname ASA-FW enable password encrypted passwd encrypted names dns-guard ! interface GigabitEthernet0/0 description "Link-To-GW-Router" nameif outside security-level 0 ip address 41.223.156.109 255.255.255.248 ! interface GigabitEthernet0/1 description "Link-To-Local-LAN" nameif inside security-level 100 ip address 10.1.4.1 255.255.252.0 ! interface GigabitEthernet0/2 description "Link-To-DMZ" nameif dmz security-level 50 ip address 172.16.16.1 255.255.255.0 ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 description "Local-Management-Interface" no nameif no security-level ip address 192.168.192.1 255.255.255.0 ! ftp mode passive access-list OUT-TO-DMZ extended permit tcp any host 41.223.156.107 eq smtp access-list OUT-TO-DMZ extended permit tcp any host 41.223.156.106 eq www access-list OUT-TO-DMZ extended permit icmp any any log access-list OUT-TO-DMZ extended deny ip any any access-list inside extended permit tcp any any eq pop3 access-list inside extended permit tcp any any eq smtp access-list inside extended permit tcp any any eq ssh access-list inside extended permit tcp any any eq telnet access-list inside extended permit tcp any any eq https access-list inside extended permit udp any any eq domain access-list inside extended permit tcp any any eq domain access-list inside extended permit tcp any any eq www access-list inside extended permit ip any any access-list inside extended permit icmp any any access-list dmz extended permit ip any any access-list dmz extended permit icmp any any access-list cap extended permit ip 10.1.4.0 255.255.252.0 172.16.16.0 255.255.25 5.0 access-list cap extended permit ip 172.16.16.0 255.255.255.0 10.1.4.0 255.255.25 2.0 no pager logging enable logging buffer-size 5000 logging monitor warnings logging trap warnings mtu outside 1500 mtu inside 1500 mtu dmz 1500 no failover asdm image disk0:/asdm-508.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 static (dmz,outside) tcp 41.223.156.106 www 172.16.16.80 www netmask 255.255.255 .255 static (dmz,outside) tcp 41.223.156.107 smtp 172.16.16.25 smtp netmask 255.255.2 55.255 static (inside,dmz) 10.1.0.0 10.1.16.0 netmask 255.255.252.0 access-group OUT-TO-DMZ in interface outside access-group inside in interface inside access-group dmz in interface dmz route outside 0.0.0.0 0.0.0.0 41.223.156.108 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http 10.1.4.0 255.255.252.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside ! ! match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global Cryptochecksum: : end ASA-FW#
Please Help.
Big Denzel
-
ravi yarlagadda about 13 yearsWhich address are the PCs hitting? The public address (say, are they browsing to it using the DNS name?), or the 172.16.16.25 address?
-
Big Denzel about 13 yearswell even by the dns the inside PCs cant reach the DMZ, only from the inside network. so from the inside network i cant ping to the 172.16.16.1 which is the DMZ interface, and not even to 172.16.16.25 which is the mail server on the DMZ, so far the 172.16.16.25 is the only PC on the DMZ....hope i was clear enough to you..... Big Denzel
-
-
ravi yarlagadda about 13 yearsThat behavior is when the
nat-control
command is enabled; it is off by default (and exemption is assumed when no rule matches). -
Spence about 13 years@Shane Madden: Quite right. cisco.com/en/US/products/ps6120/…