Communication between two DMZ segments

Unanswered Question
Sep 7th, 2007
User Badges:

Hi friends,


I have a firewall with inside, outside + 2 DMZ's.


I am able to talk to the DMZ's from inside and outside interfaces but inter-MZ communication or communication between two DMZ's is not working.


I have all the static translations and routing in place but still it doesn't work.


I have also enabled same security traffic permit inter-interface and intra-interface. Is there any inherent limitation in ASA 5540 for this?


Thanks a lot

Gautam



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gautamzone Fri, 09/07/2007 - 14:21
User Badges:

Just wanted to add that Syslog reports the following message for communication between two DMZ's:


%ASA-6-110001: No route to 10.0.3.10 from 10.1.20.2


Thanks a lot


acomiskey Fri, 09/07/2007 - 14:38
User Badges:
  • Green, 3000 points or more

Could you please post the relevant parts of the config?

gautamzone Fri, 09/07/2007 - 15:21
User Badges:

Sure, the configs are as follows:


no nat-control

interface GigabitEthernet1/0

nameif SA

security-level 30

ip address 10.0.3.1 255.255.255.0


interface GigabitEthernet1/2

nameif WAN

security-level 100

ip address 10.0.4.1 255.255.255.0


static (WAN,SA) 10.1.20.0 10.1.20.0 netmask 255.255.255.0


access-list SA extended permit ip any any

access-list WAN extended permit ip any any

access-list WAN extended permit icmp any any


access-group SA in interface SA

access-group WAN in interface WAN


Output of show route WAN on ASA

--------------------------------

O IA 10.1.20.0 255.255.255.0 [110/11123] via 10.0.4.3, 0:47:31, WAN


Output of show route SA on ASA

-------------------------------

C 10.0.3.0 255.255.255.0 is directly connected, SA


Output of show run router

-------------------------


router ospf 100

network 10.0.3.0 255.255.255.0 area 20

network 10.0.4.0 255.255.255.0 area 20

network 10.0.5.0 255.255.255.0 area 20

The routers 10.0.4.3 and 10.1.20.1 have OSPF advertised routes for 10.0.3.0.


Note: An interesting thing is that when i turn on capture for packets from 10.1.20.2 towards 10.0.3.10, i am seeing echo requests being sent thru but no echo replies from 10.0.3.10!!!. Also, if i ping the other way (10.0.3.10-->10.1.20.2), i am seeing echo requests being sent and echo replies being received too but firewall seems to drop them!!!



a.alekseev Sat, 09/08/2007 - 00:18
User Badges:
  • Gold, 750 points or more

Do you use "nat-control" or "no nat-control"?

a.alekseev Sun, 09/09/2007 - 04:29
User Badges:
  • Gold, 750 points or more

So you needn't have static.

But another static entry in you config can break communication between two interfaces with the same security level.

Actions

This Discussion