DMZ cannot ping to inside and Inside cannot ping to DMZ?

Answered Question
Jun 27th, 2010
User Badges:

Dear All,


Please help to solve problem: I have ASA 5510, cisco switch 3560.

on ASA 5510, inter e0/0 outside,e0/1 inside, e0/2 VPN and e0/3 DMZ.

My problem is from DMZ cannot access to inside and inside cannot access to DMZ.

Let me show command that i did last time:


ASA :



interface Ethernet0/3

nameif DMZ

security-level 60

ip address 10.3.3.1 255.255.255.0


nat (DMZ) 1 0.0.0.0 0.0.0.0

access-list Inside_Outside extended permit icmp any any


access-list DMZ_access_in extended permit icmp any any

access-list DMZ_access_in extended permit ip any any

access-group Inside_Outside in interface inside

access-group DMZ_access_in in interface DMZ


route inside 10.2.2.0 255.255.255.0 192.168.1.2 1


Core-switch 3560


ip route10.3.3.0 255.255.255.0 192.168.1.1



Note: for PC DMZ can access internet but it cannot access to inside!!!


Best regards,

Rechard

Correct Answer by Jennifer Halim about 6 years 8 months ago

Yes, that looks absolutely correct to me.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Mon, 06/28/2010 - 00:05
User Badges:
  • Cisco Employee,

Assuming that your inside network is 10.2.2.0/24 and 192.168.1.0/24, you would need to configure the following for inside to access DMZ and vice versa:


static (inside,DMZ) 10.2.2.0 10.2.2.0 netmask 255.255.255.0

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask  255.255.255.0


If you are testing by ping, please also make sure that you have "inspect icmp" configured on the global_policy policy map.


Hope that helps.

rechard_hk Mon, 06/28/2010 - 00:16
User Badges:

Dear halijenn,


Thanks for for your help!!!



static (inside,DMZ) 10.2.2.0 10.2.2.0 netmask 255.255.255.0

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask  255.255.255.0


On you command that you gave me, mean that we allow all port from DMZ to inside rigth?

So next time when i want to specific on port on i will be change this configuretion right?

could you let me know why you use static command as below?

some configuration i saw like this:


static ( inside,DMZ) 10.3.3.0 10.2.2.0 netmask 255.255.255.0



Note: 10.3.3.0 is server DMZ

         10.2.2.0 is server inside.


Best regards,
Rechard

Jennifer Halim Mon, 06/28/2010 - 00:28
User Badges:
  • Cisco Employee,

No, configuration will not be changed, as that is just the NAT (translation) portion of the configuration.

If you would like to restrict traffic from DMZ towards inside, you would create ACL to either permit or deny the traffic on specific ports, and apply it to the DMZ interface with the access-group command.

If you would like to restrict traffic from inside towards DMZ, then you would add ACL to either permit or deny traffic and apply it to the inside interface.


This configuration line is incorrect:

static ( inside,DMZ) 10.3.3.0 10.2.2.0 netmask 255.255.255.0


--> that basically means translating the 10.2.2.0/24 subnet to 10.3.3.0/24 subnet which is not what you are trying to achieve. You can not translate real ip address to another real ip address. Since both 10.3.3.0/24 and 10.2.2.0/24 are real ip subnets applied to the hosts on DMZ and inside respectively, the command is incorrect.


You can translate the inside subnet to a spare unique subnet if you like, and also translate DMZ subnet to a spare unique subnet, however, you can't translate inside subnet to dmz subnet and vice versa.


Hope that answers your question.

rechard_hk Mon, 06/28/2010 - 01:09
User Badges:

Dear Halijenn,


Very thanks you for your help!!!


i would like you confirm command that i do as below: so i want to specific ports,



static (inside,DMZ) 10.2.2.0 10.2.2.0 netmask 255.255.255.0

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask  255.255.255.0


access-list DMZtoinside extended permit tcp host  10.3.3.10 host 10.2.2.10  eq 1443

access-list DMZtoinside extended permit tcp host  10.3.3.10 host 10.2.2.10  eq 1443


access-list insidetoDMZ extended permit ip 10.2.2.0 255.255.255.0 any


access-grops DMZtoinside in interface dmz

access-grops insidetoDMZ in interface inside



is it correct the command as below?

If not correct please kinldy correct me!!!!


Best regards,
Rechard

Correct Answer
Jennifer Halim Mon, 06/28/2010 - 01:12
User Badges:
  • Cisco Employee,

Yes, that looks absolutely correct to me.

Actions

This Discussion