Communication between two DMZ segments

Unanswered Question
Sep 7th, 2007

Hi friends,

I have a firewall with inside, outside + 2 DMZ's.

I am able to talk to the DMZ's from inside and outside interfaces but inter-MZ communication or communication between two DMZ's is not working.

I have all the static translations and routing in place but still it doesn't work.

I have also enabled same security traffic permit inter-interface and intra-interface. Is there any inherent limitation in ASA 5540 for this?

Thanks a lot


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gautamzone Fri, 09/07/2007 - 14:21

Just wanted to add that Syslog reports the following message for communication between two DMZ's:

%ASA-6-110001: No route to from

Thanks a lot

gautamzone Fri, 09/07/2007 - 15:21

Sure, the configs are as follows:

no nat-control

interface GigabitEthernet1/0

nameif SA

security-level 30

ip address

interface GigabitEthernet1/2

nameif WAN

security-level 100

ip address

static (WAN,SA) netmask

access-list SA extended permit ip any any

access-list WAN extended permit ip any any

access-list WAN extended permit icmp any any

access-group SA in interface SA

access-group WAN in interface WAN

Output of show route WAN on ASA


O IA [110/11123] via, 0:47:31, WAN

Output of show route SA on ASA


C is directly connected, SA

Output of show run router


router ospf 100

network area 20

network area 20

network area 20

The routers and have OSPF advertised routes for

Note: An interesting thing is that when i turn on capture for packets from towards, i am seeing echo requests being sent thru but no echo replies from!!!. Also, if i ping the other way (>, i am seeing echo requests being sent and echo replies being received too but firewall seems to drop them!!!

a.alekseev Sun, 09/09/2007 - 04:29

So you needn't have static.

But another static entry in you config can break communication between two interfaces with the same security level.


This Discussion