Routing issue from DMZ to internal network

Unanswered Question
Jan 23rd, 2009

This is a bit complicated so let me layout my setup first. I have a 5510 ASA for my firewall. On it I have the following interfaces configured:

Outside - x.x.x.x

Inside -

DMZ1 -

This is a list of my routes:

Gateway of last resort is x.x.x.x to network

S [1/0] via, Inside

C x.x.x.x y.y.y.y is directly connected, Outside

C is directly connected, cplane

S [1/0] via, Inside

S [1/0] via, Inside

C is directly connected, DMZ1

S [1/0] via, Inside

S [1/0] via, Inside

S* [1/0] via, Outside

C is directly connected, Inside

S [1/0] via, Inside is my LAN gateway router (Cisco 2811) and these are its directly connected networks:

C is directly connected, Loopback0

C is directly connected, FastEthernet0/1

C is directly connected, FastEthernet0/0

I'm trying to get traffic to pass from my DMZ (specifically to which is a directly connected network on my GW router. Access-lists are correct and increment on the expected lines when I try to pass traffic. What I believe is happening is that when tries to ping the ASA is passing the traffic out the Outside interface into the world instead of routing it through to my GW router as defined in the ASA static routes.

I don't have a problem with accessing any of the resources that reside in other networks that are defined by the static routes. During one test I did get the following alert from my Cisco MARS device that provided some insight to the fact that the ASA is routing the traffic out the default route instead of the static route.

"No ARP for host. Routing failed to locate next hop for icmp from NP Identity Ifc: to DMZ1:"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
qbakies11 Fri, 01/23/2009 - 14:21

Yes, I pass a ton of traffic from all my internal networks to the DMZ. This new network ( is the only one I'm having an issue with. I can ping from the CLI of the ASA itself so I know the traffic can route there successfully.

Jon Marshall Fri, 01/23/2009 - 14:31


You need to confirm that traffic is going where you think it is going ie. to the outside interface instead of the inside.

access-list to_inside permit ip

access-list to_inside permit ip any any

access-list to_inside out interface inside

Apply this outbound on the inside interface. Then when you ping from the DMZ if the ASA is routing correctly you will see a hitcnt on the first line in the above acl if the ASA is sending it via the inside interface.


qbakies11 Mon, 01/26/2009 - 08:24

Thanks for all the help on this but I figured out my problem. I didn't add a static NAT for access to the DMZ from the network. This statement fixed my problem:

static (Inside,DMZ1) netmask


This Discussion