Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
0
Helpful
6
Replies

Communication between two DMZ segments

gautamzone
Level 1
Level 1

‎09-07-2007 02:15 PM - edited ‎03-11-2019 04:08 AM

Hi friends,

I have a firewall with inside, outside + 2 DMZ's.

I am able to talk to the DMZ's from inside and outside interfaces but inter-MZ communication or communication between two DMZ's is not working.

I have all the static translations and routing in place but still it doesn't work.

I have also enabled same security traffic permit inter-interface and intra-interface. Is there any inherent limitation in ASA 5540 for this?

Thanks a lot

Gautam

Labels:
0 Helpful
6 Replies 6

gautamzone
Level 1
Level 1

‎09-07-2007 02:21 PM

Just wanted to add that Syslog reports the following message for communication between two DMZ's:

%ASA-6-110001: No route to 10.0.3.10 from 10.1.20.2

Thanks a lot

0 Helpful

acomiskey
Level 10
Level 10
In response to gautamzone

‎09-07-2007 02:38 PM

Could you please post the relevant parts of the config?

0 Helpful

gautamzone
Level 1
Level 1
In response to acomiskey

‎09-07-2007 03:21 PM

Sure, the configs are as follows:

no nat-control

interface GigabitEthernet1/0

nameif SA

security-level 30

ip address 10.0.3.1 255.255.255.0

interface GigabitEthernet1/2

nameif WAN

security-level 100

ip address 10.0.4.1 255.255.255.0

static (WAN,SA) 10.1.20.0 10.1.20.0 netmask 255.255.255.0

access-list SA extended permit ip any any

access-list WAN extended permit ip any any

access-list WAN extended permit icmp any any

access-group SA in interface SA

access-group WAN in interface WAN

Output of show route WAN on ASA

--------------------------------

O IA 10.1.20.0 255.255.255.0 [110/11123] via 10.0.4.3, 0:47:31, WAN

Output of show route SA on ASA

-------------------------------

C 10.0.3.0 255.255.255.0 is directly connected, SA

Output of show run router

-------------------------

router ospf 100

network 10.0.3.0 255.255.255.0 area 20

network 10.0.4.0 255.255.255.0 area 20

network 10.0.5.0 255.255.255.0 area 20

The routers 10.0.4.3 and 10.1.20.1 have OSPF advertised routes for 10.0.3.0.

Note: An interesting thing is that when i turn on capture for packets from 10.1.20.2 towards 10.0.3.10, i am seeing echo requests being sent thru but no echo replies from 10.0.3.10!!!. Also, if i ping the other way (10.0.3.10-->10.1.20.2), i am seeing echo requests being sent and echo replies being received too but firewall seems to drop them!!!

0 Helpful

a.alekseev
Level 7
Level 7

‎09-08-2007 12:18 AM

Do you use "nat-control" or "no nat-control"?

0 Helpful

gautamzone
Level 1
Level 1
In response to a.alekseev

‎09-08-2007 11:34 AM

Hi,

I use no nat-control now.

Thanks

0 Helpful

a.alekseev
Level 7
Level 7
In response to gautamzone

‎09-09-2007 04:29 AM

So you needn't have static.

But another static entry in you config can break communication between two interfaces with the same security level.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card