cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1867
Views
0
Helpful
15
Replies

Ping through the Firewall

beaujoire
Level 1
Level 1

Hi,

I've received my ASA5510 and i'm trying to allow Ping through the Firewall between DMZ-LAN and LAN-DMZ

I use:

access-list "ICMP_LAN" permit icmp,echo,echoreply  any any

access-list "ICMP_DMZ" permit icmp,echo,echoreply  any any

I applied the access-list in each interface :

access-group ICMP_LAN permit in interface LAN

access-group ICMP_DMZ permit in interface DMZ

But it doesnt work , Packet tracert report that the packet is dropped by the default ACL which Deny All Traffic.

Any Ideas? Thanks

15 Replies 15

mirober2
Cisco Employee
Cisco Employee

Hi Thomas,

What version of ASA code are you running? Is there any NAT that should apply to this flow?

Can you post a sanitized copy of the packet tracer output and any syslogs generated when you try to ping?

-Mike

Jitendriya Athavale
Cisco Employee
Cisco Employee

try the following

1. allow inspect in the policy-map

2. check if you have any icmp LAN statement

you can check that in the show run or show run icmp or show run | in icmp

if you have any then remove it

Hi,

Sorry to be late for my reply.

I use ASA 8.2 v and ASDM 6.2. I have no ICMP LAN statement.

I've joined logs from packet tracert.

Interface LAN : 172.16.1.254

PC LAN : 172.16.1.1/16

Interface DMZ : 10.1.1.1

Private Interface for DMZ server : 10.1.1.2

PC DMZ : 194.x.x.x/29 ( public IP)

Static NAT is enable to translate :

10.1.1.2 --> 194.x.x.x.

Ping from DMZ to LAN is the Problem.

Hi Thomas,

Could you post a sanitized config here? We can get a better picture of where things are going wrong.

Regards,

Prapanch

I hope you are NOT trying to ping from 10.1.1.2 to 172.16.1.254 - This will not work and it is by design. You cannot ping the far side interface.

But, if you are pinging from 10.1.1.2 to 172.16.1.1

and if you have

static (LAN,DMZ) 172.16.1.0 172.16.1.0 net 255.255.255.0

with the icmp allow acl on the LAN and DMZ interfaces it should work.

Just for testing purpose throw the ACL to allow ip any any between these two test hosts 10.1.1.2 to 172.16.1.1.

enable logging

conf t

logging on

logging buffered debug

exit

sh logg | i 10.1.1.2

-KS

ok I've added :

static (LAN,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.0.0

ping from 10.1.1.2 to 172.16.1.1 works on packet tracert but doesn't work with ping command.

ping from 172.16.1.1 to 10.1.1.2 doesn't work.

I joined my running config and packet tracert logs.I am a bit lost ; i begin with cisco firewall.

Thanks.

Hi Tom,


Also add the following command,

static (LAN,DMZ) 10.0.0.0 10.0.0.0 255.0.0.0

Please let me know if that helps.


Cheers,

Nash.

Hi Nash,

I add your command but same problem ..

When i ping 172.16.1.1 to 10.1.1.2 on Packet Tracert, the Packet is still drop at NAT step.

Hi Thomas,

The issue is with these static commands:

static (DMZ,LAN) 194.206.235.65 10.1.1.2 netmask 255.255.255.255
static (DMZ,LAN) 194.206.235.66 10.1.1.3 netmask 255.255.255.255

So what this means is that when you want to access the DMZ servers 10.1.1.2 and 10.1.1.3 from the LAN, you will have to do it using the IP addresses 194.206.235.65 and 194.206.235.66 respectively.

Now it comes down to your requirement, Do you want to access the DMZ servers from the LAN using their private or public IPs? If it's going to be using the Public IPs, remove the below command:

static (LAN,DMZ) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

If you would like to do it using the private IPs, remove the below commands:

static (DMZ,LAN) 194.206.235.65 10.1.1.2 netmask 255.255.255.255
static (DMZ,LAN) 194.206.235.66 10.1.1.3 netmask 255.255.255.255

Please note that if you are accessing the servers using the public IPs, you will have to ping the IP addresses 194.206.235.65 and 194.206.235.66 respectively.

Let me know if this helps!!

Regards,

Prapanch

Ok.I agree.I want to access the DMZ servers from the LAN using their public IPs.

It works now on packet Tracert.

But for exemple,when I use Ping command on a PC from LAN and I ping the 194.x.x.x. it doesn't work.

I'm connnected on the ASA interface directly for test. Is it a problem ?

Thanks.

Hi,

if there is a windows or any other firewall on the DMZ servers, please disable and check if you are able to ping those. Also, please apply captures on the ASA to see how packets are flowing and if they are getting dropped:

https://supportforums.cisco.com/docs/DOC-1222

regards,

Prapanch

ok. done. I Have a gateway problem.

I Continue my configuration and i have another question. ( sorry )

I want to configure NAT for the LAN network. A pc from the LAN must go on the internet with the IP WAN interface.

I configure this rule :

Global (WAN) 1 interface

NAT (LAN) 1 172.16.0.0 255.255.0.0

The problem is that when I want to access my DMZ public servers from the LAN, The rule above is applied on the DMZ interface too.

So Comunication between LAN-DMZ does not work anymore.

I just specified the WAN interface in the rule so i don't understand ..

should I use some exemptions ?

Thanks

Do you have this line in the config?

static (LAN,DMZ) 172.16.1.0 172.16.1.0 net 255.255.255.0

You need that for source address translation from the inside to dmz.

copy and paste the output of the following and tell us which network has trouble getting where?

sh run nat

sh run global

sh run static

-KS

I want to access the DMZ servers from the LAN using their public IPs. (I follow comment from Prapanch Ramamoorthy)
So I removed this line :

static (LAN,DMZ) 172.16.1.0 172.16.1.0 net 255.255.255.0

output of the following command :

Show run nat
NAT (LAN) 0 access-list LAN_nat0_outbound
NAT (LAN) 1 172.16.0.0 255.255.0.0

show run global
global (WAN) 1 interface

show run static
static (DMZ,LAN) 194.x.x.x 10.1.1.2 netmask 255.255.255.255
static (DMZ,LAN) 194.x.x.y 10.1.1.3 netmask 255.255.255.255
static (DMZ,WAN) 194.x.x.x 10.1.1.2 netmask 255.255.255.255
static (DMZ,WAN) 194.x.x.y 10.1.1.3 netmask 255.255.255.255

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: