07-05-2012 10:50 AM - edited 03-11-2019 04:26 PM
I have several machines out in my DMZ and cannot get a ping going between them and anything on the inside of my network. I've even tried setting my access list attached to my DMZ to ip any any with no luck. Attached is my (sanitized) config. Any help is appreciated, everything looks good to me, but obviously something is wrong.
Thanks in advance.
Solved! Go to Solution.
07-05-2012 07:34 PM
But I need the flexibility of letting certain ports and ip addresses in and out of the DMZ, how do I do that now?
07-05-2012 07:55 PM
I must be doing something wrong then. I put in the following commands trying to block pings from coming "in" to the DMZ interface:
access-list dmz_access_in extended deny icmp any any
access-group dmz_access_in in interface dmz
Pings and packet tracer simulation are still successful. What am I missing?
07-05-2012 08:06 PM
"access-list dmz_access_in extended deny icmp any any
access-group dmz_access_in in interface dmz"
The above lines will work, if you ping from a dmz host, it will deny the traffic. meaning traffic will entre into dmz interface, from dmz zone.
if you want to control what can access from inside interface, you would do that same from inside interface.
hope that answers your questions.
thanks
07-05-2012 07:34 PM
"But if that's right, how do I control what comes and goes from the dmz interface?"
More secure interface such as "inside" should be able to access dmz without any problem with the static that I showned you.
You can still add an ACL on the DMZ interface as shown below.
"But I need the flexibility of letting certain ports and ip addresses in and out of the DMZ, how do I do that now?
access-list dmz_incoming extended deny ip host 173.17.1.111 host 11.255.1.250
access-group dmz_incoming in interface dmz
Hope that helps.
thanks
Rizwan Rafeek
Message was edited by: Rizwan Mohamed
07-05-2012 08:06 PM
For some reason my later post is posting higher than yours on my machine. Please see my comment, which appears to me as the post above yours.
07-05-2012 08:32 PM
I see your response on my email, but it isn't posting on the acutal forums right now:
"access-list dmz_access_in extended deny icmp any any
access-group dmz_access_in in interface dmz"
The above lines will work, if you ping from a dmz host, it will deny the traffic. meaning traffic will entre into dmz interface, from dmz zone.
if you want to control what can access from inside interface, you would do that same from inside interface.
hope that answers your questions."
So that means the packet tracer results I saw were false, that ACL does dictate what goes "in" to the DMZ interface?
07-05-2012 08:40 PM
"So that means the packet tracer results I saw were false, that ACL does dictate what goes "in" to the DMZ interface?"
Answer is no, because you had a permit line.
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz_access_in in interface dmz
access-list dmz_access_in extended permit ip any any
Additional Information:
07-05-2012 08:49 PM
Indeed I did. I pulled the dmz_access_in ACL, just put the icmp deny deny line in, and the packet tracer failed, excellent!
Thank you much.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: