Communication between two DMZ segments

Unanswered Question
Sep 7th, 2007

Hi friends,

I have a firewall with inside, outside + 2 DMZ's.

I am able to talk to the DMZ's from inside and outside interfaces but inter-MZ communication or communication between two DMZ's is not working.

I have all the static translations and routing in place but still it doesn't work.

I have also enabled same security traffic permit inter-interface and intra-interface. Is there any inherent limitation in ASA 5540 for this?

Thanks a lot

Gautam

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gautamzone Fri, 09/07/2007 - 14:21

Just wanted to add that Syslog reports the following message for communication between two DMZ's:

%ASA-6-110001: No route to 10.0.3.10 from 10.1.20.2

Thanks a lot

gautamzone Fri, 09/07/2007 - 15:21

Sure, the configs are as follows:

no nat-control

interface GigabitEthernet1/0

nameif SA

security-level 30

ip address 10.0.3.1 255.255.255.0

interface GigabitEthernet1/2

nameif WAN

security-level 100

ip address 10.0.4.1 255.255.255.0

static (WAN,SA) 10.1.20.0 10.1.20.0 netmask 255.255.255.0

access-list SA extended permit ip any any

access-list WAN extended permit ip any any

access-list WAN extended permit icmp any any

access-group SA in interface SA

access-group WAN in interface WAN

Output of show route WAN on ASA

--------------------------------

O IA 10.1.20.0 255.255.255.0 [110/11123] via 10.0.4.3, 0:47:31, WAN

Output of show route SA on ASA

-------------------------------

C 10.0.3.0 255.255.255.0 is directly connected, SA

Output of show run router

-------------------------

router ospf 100

network 10.0.3.0 255.255.255.0 area 20

network 10.0.4.0 255.255.255.0 area 20

network 10.0.5.0 255.255.255.0 area 20

The routers 10.0.4.3 and 10.1.20.1 have OSPF advertised routes for 10.0.3.0.

Note: An interesting thing is that when i turn on capture for packets from 10.1.20.2 towards 10.0.3.10, i am seeing echo requests being sent thru but no echo replies from 10.0.3.10!!!. Also, if i ping the other way (10.0.3.10-->10.1.20.2), i am seeing echo requests being sent and echo replies being received too but firewall seems to drop them!!!

a.alekseev Sun, 09/09/2007 - 04:29

So you needn't have static.

But another static entry in you config can break communication between two interfaces with the same security level.

Actions

This Discussion