Solved: DMZ cannot ping to inside and Inside cannot ping to DMZ?

rechard_hk · ‎06-27-2010

Dear All,

Please help to solve problem: I have ASA 5510, cisco switch 3560.

on ASA 5510, inter e0/0 outside,e0/1 inside, e0/2 VPN and e0/3 DMZ.

My problem is from DMZ cannot access to inside and inside cannot access to DMZ.

Let me show command that i did last time:

ASA :

interface Ethernet0/3

nameif DMZ

security-level 60

ip address 10.3.3.1 255.255.255.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

access-list Inside_Outside extended permit icmp any any

access-list DMZ_access_in extended permit icmp any any

access-list DMZ_access_in extended permit ip any any

access-group Inside_Outside in interface inside

access-group DMZ_access_in in interface DMZ

route inside 10.2.2.0 255.255.255.0 192.168.1.2 1

Core-switch 3560

ip route10.3.3.0 255.255.255.0 192.168.1.1

Note: for PC DMZ can access internet but it cannot access to inside!!!

Best regards,

Rechard

Jennifer Halim · ‎06-28-2010

Yes, that looks absolutely correct to me.

View solution in original post

Jennifer Halim · ‎06-28-2010

Assuming that your inside network is 10.2.2.0/24 and 192.168.1.0/24, you would need to configure the following for inside to access DMZ and vice versa:

static (inside,DMZ) 10.2.2.0 10.2.2.0 netmask 255.255.255.0

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

If you are testing by ping, please also make sure that you have "inspect icmp" configured on the global_policy policy map.

Hope that helps.

rechard_hk · ‎06-28-2010

Dear halijenn,

Thanks for for your help!!!

static (inside,DMZ) 10.2.2.0 10.2.2.0 netmask 255.255.255.0

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

On you command that you gave me, mean that we allow all port from DMZ to inside rigth?

So next time when i want to specific on port on i will be change this configuretion right?

could you let me know why you use static command as below?

some configuration i saw like this:

static ( inside,DMZ) 10.3.3.0 10.2.2.0 netmask 255.255.255.0

Note: 10.3.3.0 is server DMZ

10.2.2.0 is server inside.

Best regards,
Rechard

Jennifer Halim · ‎06-28-2010

No, configuration will not be changed, as that is just the NAT (translation) portion of the configuration.

If you would like to restrict traffic from DMZ towards inside, you would create ACL to either permit or deny the traffic on specific ports, and apply it to the DMZ interface with the access-group command.

If you would like to restrict traffic from inside towards DMZ, then you would add ACL to either permit or deny traffic and apply it to the inside interface.

This configuration line is incorrect:

static ( inside,DMZ) 10.3.3.0 10.2.2.0 netmask 255.255.255.0

--> that basically means translating the 10.2.2.0/24 subnet to 10.3.3.0/24 subnet which is not what you are trying to achieve. You can not translate real ip address to another real ip address. Since both 10.3.3.0/24 and 10.2.2.0/24 are real ip subnets applied to the hosts on DMZ and inside respectively, the command is incorrect.

You can translate the inside subnet to a spare unique subnet if you like, and also translate DMZ subnet to a spare unique subnet, however, you can't translate inside subnet to dmz subnet and vice versa.

Hope that answers your question.

rechard_hk · ‎06-28-2010

Dear Halijenn,

Very thanks you for your help!!!

i would like you confirm command that i do as below: so i want to specific ports,

static (inside,DMZ) 10.2.2.0 10.2.2.0 netmask 255.255.255.0

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

access-list DMZtoinside extended permit tcp host 10.3.3.10 host 10.2.2.10 eq 1443

access-list insidetoDMZ extended permit ip 10.2.2.0 255.255.255.0 any

access-grops DMZtoinside in interface dmz

access-grops insidetoDMZ in interface inside

is it correct the command as below?

If not correct please kinldy correct me!!!!

Best regards,
Rechard

Jennifer Halim · ‎06-28-2010

Yes, that looks absolutely correct to me.