Have a look at this link too:

http://ccie-or-null.net/2011/11/15/packet-flow-through-a-cisco-asa/

best wishes

Mike

Ok,

That looks liek access from the outside to the dmz

 is good, now try the same thing in reverse, whereby you need to enter the following:

packet-trace input dmz tcp host 172.16.80.30 eq 80 host 10.0.0.1 eq 1025

and paste that in.

cheers

Mike

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.0.0.0    255.255.255.248 OUTSIDE

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
static (DMZ,OUTSIDE) 172.16.80.30 172.16.80.30 netmask 255.255.255.255
  match ip DMZ host 172.16.80.30 OUTSIDE any
    static translation to 172.16.80.30
    translate_hits = 1, untranslate_hits = 172
Additional Information:
Static translate 172.16.80.30/0 to 172.16.80.30/0 using netmask 255.255.255.255

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (DMZ,OUTSIDE) 172.16.80.30 172.16.80.30 netmask 255.255.255.255
  match ip DMZ host 172.16.80.30 OUTSIDE any
    static translation to 172.16.80.30
    translate_hits = 1, untranslate_hits = 172
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 44047626, packet dispatched to next module

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

Hi Zak,

So it doesn't look like a firewal problem, just prove this completely by removing the firewall from the topology and see if you can ping from the router to the server successfully.

If this is ok - then it may be a nat issue on the firewall, and you may have to nat to a different address.

when you are trying to ping - what does the firewall log say?

Cheers

Mike

I connected the laptop directly to GE0 / 2 port on the ASA. i cant ping ASA and from ASA i cant ping laptop. 

Hi Zak,

Enter the command 'debug icmp trace' on the ASA CLI. and then try pinging direct from the laptop again - this will tell us whether the pings are even being received by the ASA. I am assuming you have modified your outside in ACL to permit icmp traffic to the outside interface from your laptop ip address?

If after all, the pings are not being received - it may be worth checking the laptop you are using for testing - maybe trying another one.

Of course the main problem initially was that you couldn't browse to the web server located in the DMZ, have you tried putting your laptop in the DMZ vlan (80) and ensuring that you can browse to the webserver without a firewall in between?

Very best wishes

Mike

Hi mike,

i cant ping ASA, problem is that laptop cant see gateway(asa). 

--ASA--

interface GigabitEthernet0/2.80
 vlan 80
 nameif DMZ
 security-level 50
 ip address 172.16.80.1 255.255.255.0

--Laptop--

IP 172.16.80.10

GW. 172.16.80.1

mask 255.255.255.0

Hi Zak,

Do you mean there is something wrong with your laptop, something wrong with the network connection between laptop and asa, or the asa is not responding to pings?

Best wishes

Mike

Hi Mike,

When i connect laptop to ASA, interface on ASA comes UP.

but i cant ping laptop from asa and vise versa.

what i miss?

Hi Mike,

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (DMZ,OUTSIDE) 172.16.80.30 172.16.80.30 netmask 255.255.255.255
  match ip DMZ host 172.16.80.30 OUTSIDE any
    static translation to 172.16.80.30
    translate_hits = 0, untranslate_hits = 166
Additional Information:
NAT divert to egress interface DMZ
Untranslate 172.16.80.30/0 to 172.16.80.30/0 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Out-Inside in interface OUTSIDE
access-list Out-Inside extended permit tcp any host 172.16.80.30 eq www
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect http
service-policy global_policy global
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (DMZ,OUTSIDE) 172.16.80.30 172.16.80.30 netmask 255.255.255.255
  match ip DMZ host 172.16.80.30 OUTSIDE any
    static translation to 172.16.80.30
    translate_hits = 0, untranslate_hits = 166
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (DMZ,OUTSIDE) 172.16.80.30 172.16.80.30 netmask 255.255.255.255
  match ip DMZ host 172.16.80.30 OUTSIDE any
    static translation to 172.16.80.30
    translate_hits = 0, untranslate_hits = 166
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 44036154, packet dispatched to next module

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow