can't get from dmz to inside interface

Unanswered Question
Sep 28th, 2010
User Badges:

I've got a ASA5510 with an inside, outside and dmz interfaces.

I'm trying to ping from the dmz to the inside interface but I can't.. (nothing else is communicating from the DMZ to the inside either, but I figured this would be the easiest thing to test)

dmz interface /24

security level  50

inside interface /24

security level 100

I  have a no-nat ACL which keeps the interfaces from getting natted:

access-list inside_nat0_outbound extended permit ip

but when I ping:

ping dmz


Am I missing something obvious, I thought I'd only need the no nat entry.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Tue, 09/28/2010 - 14:01
User Badges:
  • Green, 3000 points or more


You cannot PING an interface on the ASA if you're not on that same interface.

In other words...

From the inside can only PING the inside interface

From the outside can only PING the outside interface and so on...

Now, you should be able to PING from a DMZ device to an inside device for example.

Since the DMZ has a security level of 50 and the inside of 100, you need a STATIC NAT and and ACL.

static (inside,DMZ) netmask

access-list DMZ permit ip

access-group DMZ in interface DMZ



This Discussion