×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Ping through the Firewall

Unanswered Question

Hi,


I've received my ASA5510 and i'm trying to allow Ping through the Firewall between DMZ-LAN and LAN-DMZ


I use:


access-list "ICMP_LAN" permit icmp,echo,echoreply  any any

access-list "ICMP_DMZ" permit icmp,echo,echoreply  any any


I applied the access-list in each interface :


access-group ICMP_LAN permit in interface LAN

access-group ICMP_DMZ permit in interface DMZ


But it doesnt work , Packet tracert report that the packet is dropped by the default ACL which Deny All Traffic.


Any Ideas? Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mirober2 Fri, 10/29/2010 - 09:12
User Badges:
  • Cisco Employee,

Hi Thomas,


What version of ASA code are you running? Is there any NAT that should apply to this flow?


Can you post a sanitized copy of the packet tracer output and any syslogs generated when you try to ping?


-Mike

Jitendriya Athavale Fri, 10/29/2010 - 09:15
User Badges:
  • Cisco Employee,

try the following


1. allow inspect in the policy-map




2. check if you have any icmp LAN statement

you can check that in the show run or show run icmp or show run | in icmp

if you have any then remove it

Hi,

Sorry to be late for my reply.


I use ASA 8.2 v and ASDM 6.2. I have no ICMP LAN statement.

I've joined logs from packet tracert.


Interface LAN : 172.16.1.254

PC LAN : 172.16.1.1/16


Interface DMZ : 10.1.1.1

Private Interface for DMZ server : 10.1.1.2

PC DMZ : 194.x.x.x/29 ( public IP)


Static NAT is enable to translate :

10.1.1.2 --> 194.x.x.x.


Ping from DMZ to LAN is the Problem.

Attachment: 
praprama Wed, 11/10/2010 - 08:27
User Badges:
  • Cisco Employee,

Hi Thomas,


Could you post a sanitized config here? We can get a better picture of where things are going wrong.


Regards,

Prapanch

Kureli Sankar Wed, 11/10/2010 - 16:11
User Badges:
  • Cisco Employee,

I hope you are NOT trying to ping from 10.1.1.2 to 172.16.1.254 - This will not work and it is by design. You cannot ping the far side interface.


But, if you are pinging from 10.1.1.2 to 172.16.1.1


and if you have

static (LAN,DMZ) 172.16.1.0 172.16.1.0 net 255.255.255.0


with the icmp allow acl on the LAN and DMZ interfaces it should work.


Just for testing purpose throw the ACL to allow ip any any between these two test hosts 10.1.1.2 to 172.16.1.1.


enable logging


conf t

logging on

logging buffered debug

exit


sh logg | i 10.1.1.2


-KS

ok I've added :

static (LAN,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.0.0


ping from 10.1.1.2 to 172.16.1.1 works on packet tracert but doesn't work with ping command.

ping from 172.16.1.1 to 10.1.1.2 doesn't work.


I joined my running config and packet tracert logs.I am a bit lost ; i begin with cisco firewall.


Thanks.

apothula Wed, 11/17/2010 - 00:52
User Badges:
  • Bronze, 100 points or more

Hi Tom,


Also add the following command,


static (LAN,DMZ) 10.0.0.0 10.0.0.0 255.0.0.0


Please let me know if that helps.


Cheers,


Nash.

praprama Wed, 11/17/2010 - 08:05
User Badges:
  • Cisco Employee,

Hi Thomas,


The issue is with these static commands:


static (DMZ,LAN) 194.206.235.65 10.1.1.2 netmask 255.255.255.255
static (DMZ,LAN) 194.206.235.66 10.1.1.3 netmask 255.255.255.255


So what this means is that when you want to access the DMZ servers 10.1.1.2 and 10.1.1.3 from the LAN, you will have to do it using the IP addresses 194.206.235.65 and 194.206.235.66 respectively.


Now it comes down to your requirement, Do you want to access the DMZ servers from the LAN using their private or public IPs? If it's going to be using the Public IPs, remove the below command:


static (LAN,DMZ) 172.16.0.0 172.16.0.0 netmask 255.255.0.0


If you would like to do it using the private IPs, remove the below commands:


static (DMZ,LAN) 194.206.235.65 10.1.1.2 netmask 255.255.255.255
static (DMZ,LAN) 194.206.235.66 10.1.1.3 netmask 255.255.255.255


Please note that if you are accessing the servers using the public IPs, you will have to ping the IP addresses 194.206.235.65 and 194.206.235.66 respectively.


Let me know if this helps!!


Regards,

Prapanch

praprama Wed, 11/17/2010 - 18:09
User Badges:
  • Cisco Employee,

Hi,


if there is a windows or any other firewall on the DMZ servers, please disable and check if you are able to ping those. Also, please apply captures on the ASA to see how packets are flowing and if they are getting dropped:


https://supportforums.cisco.com/docs/DOC-1222


regards,

Prapanch

ok. done. I Have a gateway problem.


I Continue my configuration and i have another question. ( sorry )

I want to configure NAT for the LAN network. A pc from the LAN must go on the internet with the IP WAN interface.

I configure this rule :


Global (WAN) 1 interface

NAT (LAN) 1 172.16.0.0 255.255.0.0


The problem is that when I want to access my DMZ public servers from the LAN, The rule above is applied on the DMZ interface too.

So Comunication between LAN-DMZ does not work anymore.

I just specified the WAN interface in the rule so i don't understand ..

should I use some exemptions ?


Thanks

Kureli Sankar Fri, 11/26/2010 - 11:56
User Badges:
  • Cisco Employee,

Do you have this line in the config?

static (LAN,DMZ) 172.16.1.0 172.16.1.0 net 255.255.255.0


You need that for source address translation from the inside to dmz.

copy and paste the output of the following and tell us which network has trouble getting where?


sh run nat

sh run global

sh run static


-KS

I want to access the DMZ servers from the LAN using their public IPs. (I follow comment from Prapanch Ramamoorthy)
So I removed this line :

static (LAN,DMZ) 172.16.1.0 172.16.1.0 net 255.255.255.0


output of the following command :


Show run nat
NAT (LAN) 0 access-list LAN_nat0_outbound
NAT (LAN) 1 172.16.0.0 255.255.0.0


show run global
global (WAN) 1 interface


show run static
static (DMZ,LAN) 194.x.x.x 10.1.1.2 netmask 255.255.255.255
static (DMZ,LAN) 194.x.x.y 10.1.1.3 netmask 255.255.255.255
static (DMZ,WAN) 194.x.x.x 10.1.1.2 netmask 255.255.255.255
static (DMZ,WAN) 194.x.x.y 10.1.1.3 netmask 255.255.255.255

Kureli Sankar Tue, 11/30/2010 - 19:20
User Badges:
  • Cisco Employee,

So, does this work now?


static (LAN,DMZ) 172.16.1.0 172.16.1.0 net 255.255.255.0


and


NAT (LAN) 0 access-list LAN_nat0_outbound


The above two are the same.


-KS

Actions

This Discussion