04-21-2008 10:07 PM - edited 03-11-2019 05:35 AM
Hello,
We just setup a dmz interface but for some reason I cannot ping from dmz to internal and vi-versa. Also cannot ping from firewall to dmz machines. Please help
access-list 101 permit ip 19.82.32.0 255.255.254.0 192.168.1.0 255.255.255.0
access-list dmz0 permit tcp any host 172.16.20.50 eq 3389
access-list dmz0 permit tcp any host 172.16.20.50 eq ftp
access-list dmz0 permit tcp any host 172.16.20.50 eq ssh
access-list dmz0 permit tcp any host 172.16.20.50 eq www
access-list dmz0 permit tcp any host 172.16.20.50 eq https
access-list dmz0 permit tcp host 172.16.20.50 any eq 3389
access-list dmz0 permit tcp host 172.16.20.50 any eq www
access-list dmz0 permit tcp host 172.16.20.50 any eq https
access-list dmz0 permit icmp any any
access-list dmz0 deny ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz0 1500
mtu dmz1 1500
mtu dmz2 1500
mtu dmz3 1500
ip address outside x.x.x.x 255.255.255.192
ip address inside 19.82.32.120 255.255.254.0
ip address dmz0 172.16.20.1 255.255.255.0
ip address dmz1 127.0.0.1 255.255.255.255
no ip address dmz2
no ip address dmz3
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclients 192.168.1.1-192.168.1.254
no failover
failover timeout 0:00:0
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x netmask 255.255.255.192
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz0) 1 172.16.20.0 255.255.255.0 0 0
static (dmz0,outside) x.x.x.x 172.16.20.50 netmask 255.255.255.255 0 0
static (inside,dmz0) 172.16.20.0 172.16.20.0 netmask 255.255.255.0 0 0
access-group acl_out in interface outside
access-group dmz0 in interface dmz0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host 19.82.32.198 x.x.x.x timeout 5
http server enable
http 19.82.32.0 255.255.254.0 inside
http 19.82.32.214 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto dynamic-map dyna 1 set transform-set strong
crypto map vpn 1 ipsec-isakmp dynamic dyna
crypto map vpn client authentication partnerauth
crypto map vpn interface outside
isakmp enable outside
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
vpngroup cisco address-pool vpnclients
vpngroup cisco dns-server 19.82.32.23
vpngroup cisco wins-server 19.82.32.23
vpngroup cisco default-domain cisco.com
vpngroup cisco split-tunnel 101
vpngroup cisco idle-time 57600
vpngroup cisco password xxxxxx
04-21-2008 10:27 PM
Not sure what this static statement is doing
static (inside,dmz0) 172.16.20.0 172.16.20.0 netmask 255.255.255.0 0 0
Could you change the above to
static (inside,dmz0) 19.82.32.0 19.82.32.0 netmask 255.255.254.0
which should then allow you to ping from dmz0 to internal hosts.
To ping from firewall to dmz0 machines
icmp permit any dmz0
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide