i cant ping to my DMZ zone from the local inside PC

firewall cisco cisco-asa

6,647

Edit: My answer below may be useful to someone running a version of the ASA or PIX operating system prior to 7.0, but probably isn't useful to the poster.

In versions 7.0 and up the nat-control functionality I'm describing below is disabled (see http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml).

You don't have a nat (dmz) ... for the DMZ network. By default an ASA won't pass traffic between networks if it doesn't cross a nat (even if it's a nat (interface) 0 to prevent NAT from occurring).

Add some commands (assuming that you want outbound traffic from the DMZ to the Internet to be NAT'd and that you want traffic from the inside to the DMZ not to be NAT'd):

access-list inside_nat0_outbound 10.1.4.0 255.255.252.0 172.16.16.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (dmz) 1 0.0.0.0 0.0.0.0

That causes outbound traffic from the DMZ to be NAT'd, and bypasses NAT for traffic from the LAN subnet to the DMZ subnet.

6,647

Author by

Big Denzel

Updated on September 18, 2022

Comments

Big Denzel over 1 year

HI everybody.

Can anyone please help me on the following issue. I got a Cisco Asa 5520 configured at my network.

I cant ping to my DMZ interface from a local inside network PC. so the only way a ping the DMZ is right from the Cisco ASA firewall, there i can pint to all 3 interfaces, Inside, Outside and DMZ,,,,

But no PC from the Inside Network can access the DMZ.

Can please any one help?

I thank you all in advance

Bellow is my Cisco ASA 5520 Firewall show run;

ASA-FW# sh run
: Saved
:
ASA Version 7.0(8)
!
hostname ASA-FW
enable password      encrypted
passwd                encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 description "Link-To-GW-Router"
 nameif outside
 security-level 0
 ip address 41.223.156.109 255.255.255.248
!
interface GigabitEthernet0/1
 description "Link-To-Local-LAN"
 nameif inside
 security-level 100
 ip address 10.1.4.1 255.255.252.0
!
interface GigabitEthernet0/2
 description "Link-To-DMZ"
 nameif dmz
 security-level 50
 ip address 172.16.16.1 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 description "Local-Management-Interface"
 no nameif
 no security-level
 ip address 192.168.192.1 255.255.255.0
!
ftp mode passive
access-list OUT-TO-DMZ extended permit tcp any host 41.223.156.107 eq smtp
access-list OUT-TO-DMZ extended permit tcp any host 41.223.156.106 eq www
access-list OUT-TO-DMZ extended permit icmp any any log
access-list OUT-TO-DMZ extended deny ip any any
access-list inside extended permit tcp any any eq pop3
access-list inside extended permit tcp any any eq smtp
access-list inside extended permit tcp any any eq ssh
access-list inside extended permit tcp any any eq telnet
access-list inside extended permit tcp any any eq https
access-list inside extended permit udp any any eq domain
access-list inside extended permit tcp any any eq domain
access-list inside extended permit tcp any any eq www
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list dmz extended permit ip any any
access-list dmz extended permit icmp any any
access-list cap extended permit ip 10.1.4.0 255.255.252.0 172.16.16.0 255.255.25
5.0
access-list cap extended permit ip 172.16.16.0 255.255.255.0 10.1.4.0 255.255.25
2.0
no pager
logging enable
logging buffer-size 5000
logging monitor warnings
logging trap warnings
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp 41.223.156.106 www 172.16.16.80 www netmask 255.255.255
.255
static (dmz,outside) tcp 41.223.156.107 smtp 172.16.16.25 smtp netmask 255.255.2
55.255
static (inside,dmz) 10.1.0.0 10.1.16.0 netmask 255.255.252.0
access-group OUT-TO-DMZ in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 41.223.156.108 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.1.4.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
!
!
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:
: end
ASA-FW#

Please Help.

Big Denzel

ravi yarlagadda about 13 years

Which address are the PCs hitting? The public address (say, are they browsing to it using the DNS name?), or the 172.16.16.25 address?
Big Denzel about 13 years

well even by the dns the inside PCs cant reach the DMZ, only from the inside network. so from the inside network i cant ping to the 172.16.16.1 which is the DMZ interface, and not even to 172.16.16.25 which is the mail server on the DMZ, so far the 172.16.16.25 is the only PC on the DMZ....hope i was clear enough to you..... Big Denzel

ravi yarlagadda about 13 years

That behavior is when the nat-control command is enabled; it is off by default (and exemption is assumed when no rule matches).
Spence about 13 years

@Shane Madden: Quite right. cisco.com/en/US/products/ps6120/…