Hello,

We just setup a dmz interface but for some reason I cannot ping from dmz to internal and vi-versa. Also cannot ping from firewall to dmz machines. Please help

access-list 101 permit ip 19.82.32.0 255.255.254.0 192.168.1.0 255.255.255.0

access-list dmz0 permit tcp any host 172.16.20.50 eq 3389

access-list dmz0 permit tcp any host 172.16.20.50 eq ftp

access-list dmz0 permit tcp any host 172.16.20.50 eq ssh

access-list dmz0 permit tcp any host 172.16.20.50 eq www

access-list dmz0 permit tcp any host 172.16.20.50 eq https

access-list dmz0 permit tcp host 172.16.20.50 any eq 3389

access-list dmz0 permit tcp host 172.16.20.50 any eq www

access-list dmz0 permit tcp host 172.16.20.50 any eq https

access-list dmz0 permit icmp any any

access-list dmz0 deny ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz0 1500

mtu dmz1 1500

mtu dmz2 1500

mtu dmz3 1500

ip address outside x.x.x.x 255.255.255.192

ip address inside 19.82.32.120 255.255.254.0

ip address dmz0 172.16.20.1 255.255.255.0

ip address dmz1 127.0.0.1 255.255.255.255

no ip address dmz2

no ip address dmz3

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnclients 192.168.1.1-192.168.1.254

no failover

failover timeout 0:00:0

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.x netmask 255.255.255.192

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz0) 1 172.16.20.0 255.255.255.0 0 0

static (dmz0,outside) x.x.x.x 172.16.20.50 netmask 255.255.255.255 0 0

static (inside,dmz0) 172.16.20.0 172.16.20.0 netmask 255.255.255.0 0 0

access-group acl_out in interface outside

access-group dmz0 in interface dmz0

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa-server partnerauth protocol radius

aaa-server partnerauth max-failed-attempts 3

aaa-server partnerauth deadtime 10

aaa-server partnerauth (inside) host 19.82.32.198 x.x.x.x timeout 5

http server enable

http 19.82.32.0 255.255.254.0 inside

http 19.82.32.214 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-3des esp-md5-hmac

crypto dynamic-map dyna 1 set transform-set strong

crypto map vpn 1 ipsec-isakmp dynamic dyna

crypto map vpn client authentication partnerauth

crypto map vpn interface outside

isakmp enable outside

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

vpngroup cisco address-pool vpnclients

vpngroup cisco dns-server 19.82.32.23

vpngroup cisco wins-server 19.82.32.23

vpngroup cisco default-domain cisco.com

vpngroup cisco split-tunnel 101

vpngroup cisco idle-time 57600

vpngroup cisco password xxxxxx