Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Firewall 515 DMZ


We just setup a dmz interface but for some reason I cannot ping from dmz to internal and vi-versa. Also cannot ping from firewall to dmz machines. Please help

access-list 101 permit ip

access-list dmz0 permit tcp any host eq 3389

access-list dmz0 permit tcp any host eq ftp

access-list dmz0 permit tcp any host eq ssh

access-list dmz0 permit tcp any host eq www

access-list dmz0 permit tcp any host eq https

access-list dmz0 permit tcp host any eq 3389

access-list dmz0 permit tcp host any eq www

access-list dmz0 permit tcp host any eq https

access-list dmz0 permit icmp any any

access-list dmz0 deny ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz0 1500

mtu dmz1 1500

mtu dmz2 1500

mtu dmz3 1500

ip address outside x.x.x.x

ip address inside

ip address dmz0

ip address dmz1

no ip address dmz2

no ip address dmz3

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnclients

no failover

failover timeout 0:00:0

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.x netmask

nat (inside) 0 access-list 101

nat (inside) 1 0 0

nat (dmz0) 1 0 0

static (dmz0,outside) x.x.x.x netmask 0 0

static (inside,dmz0) netmask 0 0

access-group acl_out in interface outside

access-group dmz0 in interface dmz0

route outside x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa-server partnerauth protocol radius

aaa-server partnerauth max-failed-attempts 3

aaa-server partnerauth deadtime 10

aaa-server partnerauth (inside) host x.x.x.x timeout 5

http server enable

http inside

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-3des esp-md5-hmac

crypto dynamic-map dyna 1 set transform-set strong

crypto map vpn 1 ipsec-isakmp dynamic dyna

crypto map vpn client authentication partnerauth

crypto map vpn interface outside

isakmp enable outside

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

vpngroup cisco address-pool vpnclients

vpngroup cisco dns-server

vpngroup cisco wins-server

vpngroup cisco default-domain

vpngroup cisco split-tunnel 101

vpngroup cisco idle-time 57600

vpngroup cisco password xxxxxx

Hall of Fame Super Blue

Re: Firewall 515 DMZ

Not sure what this static statement is doing

static (inside,dmz0) netmask 0 0

Could you change the above to

static (inside,dmz0) netmask

which should then allow you to ping from dmz0 to internal hosts.

To ping from firewall to dmz0 machines

icmp permit any dmz0