06-20-2012 07:21 AM - edited 03-11-2019 04:21 PM
I can't seem to get this going for thie life of me, maybe a little fuzzy on the concepts but I've done this before without problems. I need the DMZ hosts to be able to ping anything we have inside and outside our network. I will lock down anything else after, right now I can't get anything in the DMZ to access anything outside or inside.
interface Ethernet0/0
description Public
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.224
!
interface Ethernet0/1
description Private
nameif inside
security-level 100
ip address 192.168.40.1 255.255.255.0
!
interface Ethernet0/2
description DMZ
nameif dmz
security-level 50
ip address 192.168.41.1 255.255.255.0
access-list dmz-allowed-in extended permit ip any any
access-group dmz-allowed-in in interface dmz
access-list allowed-in extended permit icmp any host 1.1.1.2
access-group allowed-in in interface outside
access-list allow-out extended permit ip 192.168.40.0 255.255.255.0 any
access-group allow-out in interface inside
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 dns
nat (dmz) 1 0.0.0.0 0.0.0.0 dns
static (inside,dmz) 192.168.40.0 192.168.40.0 netmask 255.255.255.0
static (dmz,outside) 1.1.1.2 192.168.41.10 netmask 255.255.255.255
Packet tracer from inside to dmz host 192.168.41.1 says its dropped by implicit rules
Packet tracer from dmz to inside host 192.168.40.1 says its dropped by implicit rules
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Packet tracer from outside to dmz host's public address says its allowed
Packet tracer from dmz to outside address says its allowed
It would see at least ping to the outside from DMZ should work but it doesn't.
06-20-2012 07:33 AM
Do you have "inspect icmp" configured?
06-20-2012 07:40 AM
Yes at the moment but I have tested with it disabled and same results.
06-20-2012 07:42 AM
It should be enabled, not disabled.
06-20-2012 07:43 AM
And it is.
06-20-2012 07:45 AM
This sounds wrong:
Packet tracer from inside to dmz host 192.168.41.1 says its dropped by implicit rules
Packet tracer from dmz to inside host 192.168.40.1 says its dropped by implicit rules
Both addresses are assigned to your ASA firewall interfaces, so you can't have host with that IP Address.
06-20-2012 07:49 AM
Ah yes, bad examples, so I redid them with .10 addresses and they say they are supposed to be passed on.
06-20-2012 07:51 AM
Great, that means nothing wrong with the ASA config.
You might want to check the host itself, correct subnet mask? correct default gateway? connected to the correct VLAN/etc?
06-20-2012 07:53 AM
So, host in the dmz, connected to vlan 6, DMZ interface in vlan 6.
Public side connected to vlan 3
Host inside connected to vlan 1, inside interface in vlan 1.
Both use the ASA as their default gateway.
06-20-2012 07:57 AM
Run "debug icmp trace" and see if you are getting the echo and/or echo-reply on the ASA
OR/ do packet capture on the ASA and see if echo is reaching and leaving the ASA, and if echo-reply is reaching and leaving the ASA.
06-20-2012 08:01 AM
Yes I get the echo request and reply
06-20-2012 08:02 AM
Is the echo reply leaving the firewall?
06-20-2012 08:05 AM
I didn't do an actual packet capture on the host yet but it would seem it is from the debug.
Sending 5, 100-byte ICMP Echos to 192.168.41.10, timeout is 2 seconds:
ICMP echo request from 192.168.41.1 to 192.168.41.10 ID=23829 seq=42700 len=72
ICMP echo reply from 192.168.41.10 to 192.168.41.1 ID=23829 seq=42700 len=72
!ICMP echo request from 192.168.41.1 to 192.168.41.10 ID=23829 seq=42700 len=72
!!ICMP echo reply from 192.168.41.10 to 192.168.41.1 ID=23829 seq=42700 len=72
ICMP echo request from 192.168.41.1 to 192.168.41.10 ID=23829 seq=42700 len=72
!ICMP echo reply from 192.168.41.10 to 192.168.41.1 ID=23829 seq=42700 len=72
ICMP echo request from 192.168.41.1 to 192.168.41.10 ID=23829 seq=42700 len=72
!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
06-20-2012 08:09 AM
?? Are you just pinging from ASA towards your DMZ host?
I thought you are having issue with ping through the firewall from DMZ host??
06-20-2012 08:15 AM
Yes through the firewall. From the DMZ to internal hosts, from the DMZ to the internet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide