can't get from dmz to inside interface

Unanswered Question
Sep 28th, 2010
User Badges:

I've got a ASA5510 with an inside, outside and dmz interfaces.


I'm trying to ping from the dmz to the inside interface but I can't.. (nothing else is communicating from the DMZ to the inside either, but I figured this would be the easiest thing to test)



dmz interface 10.10.8.1 /24

security level  50


inside interface 10.10.4.1 /24

security level 100


I  have a no-nat ACL which keeps the interfaces from getting natted:

access-list inside_nat0_outbound extended permit ip 10.10.8.0 255.255.255.0 10.10.4.0 255.255.255.0


but when I ping:


ping dmz 10.10.4.1


?????


Am I missing something obvious, I thought I'd only need the no nat entry.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Tue, 09/28/2010 - 14:01
User Badges:
  • Green, 3000 points or more

Gregory,


You cannot PING an interface on the ASA if you're not on that same interface.

In other words...

From the inside can only PING the inside interface

From the outside can only PING the outside interface and so on...


Now, you should be able to PING from a DMZ device to an inside device for example.

Since the DMZ has a security level of 50 and the inside of 100, you need a STATIC NAT and and ACL.


static (inside,DMZ) 10.10.4.0 10.10.4.0 netmask 255.255.255.0

access-list DMZ permit ip 10.10.8.0 255.255.255.0 10.10.4.0 255.255.255.0

access-group DMZ in interface DMZ


Federico.

Actions

This Discussion