Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
294
Views
0
Helpful
1
Replies

can't get from dmz to inside interface

w951duu
Level 1
Level 1

ā€Ž09-28-2010 01:45 PM - edited ā€Ž03-11-2019 11:46 AM

I've got a ASA5510 with an inside, outside and dmz interfaces.

I'm trying to ping from the dmz to the inside interface but I can't.. (nothing else is communicating from the DMZ to the inside either, but I figured this would be the easiest thing to test)

dmz interface 10.10.8.1 /24

security level  50

inside interface 10.10.4.1 /24

security level 100

I  have a no-nat ACL which keeps the interfaces from getting natted:

access-list inside_nat0_outbound extended permit ip 10.10.8.0 255.255.255.0 10.10.4.0 255.255.255.0

but when I ping:

ping dmz 10.10.4.1


?????

Am I missing something obvious, I thought I'd only need the no nat entry.

Labels:
72706-fw-config.txt.zip
0 Helpful
1 Reply 1

Federico Coto Fajardo
VIP Alumni
VIP Alumni

ā€Ž09-28-2010 02:01 PM

Gregory,

You cannot PING an interface on the ASA if you're not on that same interface.

In other words...

From the inside can only PING the inside interface

From the outside can only PING the outside interface and so on...

Now, you should be able to PING from a DMZ device to an inside device for example.

Since the DMZ has a security level of 50 and the inside of 100, you need a STATIC NAT and and ACL.

static (inside,DMZ) 10.10.4.0 10.10.4.0 netmask 255.255.255.0

access-list DMZ permit ip 10.10.8.0 255.255.255.0 10.10.4.0 255.255.255.0

access-group DMZ in interface DMZ

Federico.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card