asa :can t ping from inside to outside

Unanswered Question
Jun 16th, 2010

hi,

-my problem is that i can t ping from inside to zones withe less security-level as dmz and outside.

from what i know it should do that without an access-list.(same thing with dmz)

i can ping from outside to dmz and inside (can t ping the real addresses just the natted ones).

-and i want to know how to test if the outside can get to DNS and smtp, but i don t know how

(i don t know much about protocoles).

my sheme is lika that :

                                                      |outside 212.217.1.0/24
                                                      |

                                                      |.1

inside _____________________.1_ASA_.1____________________dmz

192.168.1.0/24 10.10.10.10/24

my config is like that :

hostname ciscoasa

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet0/1

nameif dmz

security-level 50

ip address 10.10.10.1 255.255.255.0

!

interface GigabitEthernet0/2

nameif outside

security-level 0

ip address 212.217.1.1 255.255.255.0

access-list INBOUND extended permit tcp any host 10.10.10.20 eq domain

access-list INBOUND extended permit tcp any host 10.10.10.30 eq smtp

access-list INBOUND extended permit icmp any any echo

access-list INBOUND extended permit icmp any any echo-reply

access-list INBOUND extended permit icmp any any time-exceeded

access-list INBOUND extended deny ip any any

access-list DMZ extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list DMZ extended permit ip 10.10.10.0 255.255.255.0 212.217.1.0 255.255.255.0

access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 212.217.1.0 255.255.255.0

access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

access-group INSIDE in interface inside

access-group DMZ in interface dmz

access-group INBOUND in interface outside

global (dmz) 1 10.10.10.40-10.10.10.60 netmask 255.255.255.0

global (outside) 1 212.217.1.40-212.217.1.60 netmask 255.255.255.0

nat (inside) 1 192.168.1.0 255.255.255.0

nat (dmz) 1 10.10.10.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 212.217.1.1 1

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
andrew.prince@m... Wed, 06/16/2010 - 07:13

You need an acl on the outside - to allow the return icmp to enter the outside interface to the inside interface.

Something like

access-list acl-outisde-in extended permit icmp any any echo-reply

access-list acl-outside-in extended permit icmp any any time-exceeded

HTH>

salwayasalam Wed, 06/16/2010 - 07:34

hi Andrew Prince  ,

thanks for responding , i ve already configur an acl like that and i affected it to the outside

access-list INBOUND extended permit icmp any any echo-reply

access-list INBOUND extended permit icmp any any time-exceeded

but as i know the inside should be able to ping without a probleme,but the areas with less security level dmz-50 and outside-0 can t so i have to use an access-list to allow'm to do that

andrew.prince@m... Wed, 06/16/2010 - 07:40

The security-level rules are:-

1) A higher security interface CAN communicate without an ACL with a lower security interface

2) A lower security interface CANNOT communicate with a higher security interface WITHOUT an ACL.

So

Inside - 100

DMZ - 50

Outside - 0

The inside will be able to communicate with the DMZ and Outside with "Stateful" traffic.

If traffic ORIGINATED from the outside or DMZ tries to communicate with the Inside - it will fail.  Unless there is an ACL to allow it.

ICMP is NOT stateful.

HTH>

salwayasalam Wed, 06/16/2010 - 08:17
Andrew Prince

The inside will be able to communicate with the DMZ and Outside with "Stateful" traffic.

but mine can not communicate with either of them and i don t know why

andrew.prince@m... Wed, 06/16/2010 - 08:38

From a host on the inside network - are you trying to actually ping the outside interface IP address or a device on the outside? Same question for the DMZ interface?

salwayasalam Wed, 06/16/2010 - 08:45

am trying to ping both but nothing, i ve tried  to ping both intrfaces of asa (dmz,outside) but no respond so i thaught maybe they r not allowd to do that so i tried to ping a device on the outside.

(same for dmz)

andrew.prince@m... Wed, 06/16/2010 - 08:51

You will not be able to ping the Outside interface IP from a host on the inside or DMZ

You will not be able to ping the DMZ interface IP from a host on the inside or outside

You will not be able to ping the Inside interface IP from a host on the Outside or DMZ

Interfaces will not respond to ICMP from host connected or routing by other interfaces.

Hope this clears things up, there is nothing wrong with your config

HTH>

salwayasalam Thu, 06/17/2010 - 01:13

Hi Andrew Prince ,

thanks for the information it was so helpful ,i ll find the problem and when i ll solve it i ll tell what it is

thanks a 10000.

have a nice day

salwayasalam Wed, 06/23/2010 - 01:51

hi again

i was trying to test my ACL ,specialy the one allowing web to the outside zone

(access-list INBOUND extended permit tcp any host 10.10.10.40 eq 80)

so i installed server apache on my computer so i can access from this computer but not the others on the local network,thus not the outside either

and i didn t know what to do i even tried to add an ACL allowing web to the local computers but no use

ps: i tried it with an oher router -that s not asa- and it work localy so i think i don t have to reconfigure the httpd .

John Blakley Wed, 06/23/2010 - 07:18

Like Andrew said, you can't ping a far side interface on an ASA. It will fail everytime. (inside->dmz, inside->outside) We're talking about the actual interface on the ASA, not what's on the other side. If your config is working, you WILL be able to ping from the inside to a host IN the dmz, but not the dmz interface itself.

John

salwayasalam Fri, 06/25/2010 - 00:41
i didn t talk about pinging any interfece
i was asking about apach a web server to test my config -ACL- so i couldn t get to it localy( i could only from computer) so i found out that the proxy that was holding me .
have a nice day

750 - 1,499

Actions

This Discussion