10-29-2010 08:26 AM - edited 03-11-2019 12:02 PM
Hi,
I've received my ASA5510 and i'm trying to allow Ping through the Firewall between DMZ-LAN and LAN-DMZ
I use:
access-list "ICMP_LAN" permit icmp,echo,echoreply any any
access-list "ICMP_DMZ" permit icmp,echo,echoreply any any
I applied the access-list in each interface :
access-group ICMP_LAN permit in interface LAN
access-group ICMP_DMZ permit in interface DMZ
But it doesnt work , Packet tracert report that the packet is dropped by the default ACL which Deny All Traffic.
Any Ideas? Thanks
10-29-2010 09:12 AM
Hi Thomas,
What version of ASA code are you running? Is there any NAT that should apply to this flow?
Can you post a sanitized copy of the packet tracer output and any syslogs generated when you try to ping?
-Mike
10-29-2010 09:15 AM
try the following
1. allow inspect in the policy-map
2. check if you have any icmp LAN statement
you can check that in the show run or show run icmp or show run | in icmp
if you have any then remove it
11-10-2010 08:22 AM
Hi,
Sorry to be late for my reply.
I use ASA 8.2 v and ASDM 6.2. I have no ICMP LAN statement.
I've joined logs from packet tracert.
Interface LAN : 172.16.1.254
PC LAN : 172.16.1.1/16
Interface DMZ : 10.1.1.1
Private Interface for DMZ server : 10.1.1.2
PC DMZ : 194.x.x.x/29 ( public IP)
Static NAT is enable to translate :
10.1.1.2 --> 194.x.x.x.
Ping from DMZ to LAN is the Problem.
11-10-2010 08:27 AM
Hi Thomas,
Could you post a sanitized config here? We can get a better picture of where things are going wrong.
Regards,
Prapanch
11-10-2010 04:11 PM
I hope you are NOT trying to ping from 10.1.1.2 to 172.16.1.254 - This will not work and it is by design. You cannot ping the far side interface.
But, if you are pinging from 10.1.1.2 to 172.16.1.1
and if you have
static (LAN,DMZ) 172.16.1.0 172.16.1.0 net 255.255.255.0
with the icmp allow acl on the LAN and DMZ interfaces it should work.
Just for testing purpose throw the ACL to allow ip any any between these two test hosts 10.1.1.2 to 172.16.1.1.
enable logging
conf t
logging on
logging buffered debug
exit
sh logg | i 10.1.1.2
-KS
11-16-2010 08:02 AM
ok I've added :
static (LAN,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.0.0
ping from 10.1.1.2 to 172.16.1.1 works on packet tracert but doesn't work with ping command.
ping from 172.16.1.1 to 10.1.1.2 doesn't work.
I joined my running config and packet tracert logs.I am a bit lost ; i begin with cisco firewall.
Thanks.
11-17-2010 12:52 AM
Hi Tom,
Also add the following command,
static (LAN,DMZ) 10.0.0.0 10.0.0.0 255.0.0.0
Please let me know if that helps.
Cheers,
Nash.
11-17-2010 07:44 AM
Hi Nash,
I add your command but same problem ..
When i ping 172.16.1.1 to 10.1.1.2 on Packet Tracert, the Packet is still drop at NAT step.
11-17-2010 08:05 AM
Hi Thomas,
The issue is with these static commands:
static (DMZ,LAN) 194.206.235.65 10.1.1.2 netmask 255.255.255.255
static (DMZ,LAN) 194.206.235.66 10.1.1.3 netmask 255.255.255.255
So what this means is that when you want to access the DMZ servers 10.1.1.2 and 10.1.1.3 from the LAN, you will have to do it using the IP addresses 194.206.235.65 and 194.206.235.66 respectively.
Now it comes down to your requirement, Do you want to access the DMZ servers from the LAN using their private or public IPs? If it's going to be using the Public IPs, remove the below command:
static (LAN,DMZ) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
If you would like to do it using the private IPs, remove the below commands:
static (DMZ,LAN) 194.206.235.65 10.1.1.2 netmask 255.255.255.255
static (DMZ,LAN) 194.206.235.66 10.1.1.3 netmask 255.255.255.255
Please note that if you are accessing the servers using the public IPs, you will have to ping the IP addresses 194.206.235.65 and 194.206.235.66 respectively.
Let me know if this helps!!
Regards,
Prapanch
11-17-2010 09:20 AM
Ok.I agree.I want to access the DMZ servers from the LAN using their public IPs.
It works now on packet Tracert.
But for exemple,when I use Ping command on a PC from LAN and I ping the 194.x.x.x. it doesn't work.
I'm connnected on the ASA interface directly for test. Is it a problem ?
Thanks.
11-17-2010 06:09 PM
Hi,
if there is a windows or any other firewall on the DMZ servers, please disable and check if you are able to ping those. Also, please apply captures on the ASA to see how packets are flowing and if they are getting dropped:
https://supportforums.cisco.com/docs/DOC-1222
regards,
Prapanch
11-26-2010 07:10 AM
ok. done. I Have a gateway problem.
I Continue my configuration and i have another question. ( sorry )
I want to configure NAT for the LAN network. A pc from the LAN must go on the internet with the IP WAN interface.
I configure this rule :
Global (WAN) 1 interface
NAT (LAN) 1 172.16.0.0 255.255.0.0
The problem is that when I want to access my DMZ public servers from the LAN, The rule above is applied on the DMZ interface too.
So Comunication between LAN-DMZ does not work anymore.
I just specified the WAN interface in the rule so i don't understand ..
should I use some exemptions ?
Thanks
11-26-2010 11:56 AM
Do you have this line in the config?
static (LAN,DMZ) 172.16.1.0 172.16.1.0 net 255.255.255.0
You need that for source address translation from the inside to dmz.
copy and paste the output of the following and tell us which network has trouble getting where?
sh run nat
sh run global
sh run static
-KS
11-30-2010 09:00 AM
I want to access the DMZ servers from the LAN using their public IPs. (I follow comment from Prapanch Ramamoorthy)
So I removed this line :
static (LAN,DMZ) 172.16.1.0 172.16.1.0 net 255.255.255.0
output of the following command :
Show run nat
NAT (LAN) 0 access-list LAN_nat0_outbound
NAT (LAN) 1 172.16.0.0 255.255.0.0
show run global
global (WAN) 1 interface
show run static
static (DMZ,LAN) 194.x.x.x 10.1.1.2 netmask 255.255.255.255
static (DMZ,LAN) 194.x.x.y 10.1.1.3 netmask 255.255.255.255
static (DMZ,WAN) 194.x.x.x 10.1.1.2 netmask 255.255.255.255
static (DMZ,WAN) 194.x.x.y 10.1.1.3 netmask 255.255.255.255
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: