Hi Bro

Cisco ASA FW is a stateful FW. This means in your rules, you don't have to permit 2-way. Just do the following to permit ICMP and TRACEROUTE, and all will be good :-)

Note: Please change the security-level LAN from 50 to 100 & DMZ from 100 to 50.

nat-control

static (LAN,DMZ) 172.20.4.0 172.20.4.0 netmask 255.255.255.252

static (LAN,DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

no access-list DMZ-->LAN extended permit ip any any
no access-list LAN-->DMZ extended permit ip any any
no access-list LAN-->DMZ extended permit icmp any any
no access-list DMZ-->LAN extended permit icmp any any

access-list DMZ-->LAN extended permit icmp any any echo
access-list DMZ-->LAN extended permit icmp any any echo-reply
access-list DMZ-->LAN extended permit icmp any any time-exceeded
access-list DMZ-->LAN extended permit icmp any any unreachable
access-list DMZ-->LAN extended permit udp any any range 33434 33464
access-list DMZ-->LAN deny ip any any log

access-list LAN-->DMZ extended permit icmp any any echo
access-list LAN-->DMZ extended permit icmp any any echo-reply
access-list LAN-->DMZ extended permit icmp any any time-exceeded
access-list LAN-->DMZ extended permit icmp any any unreachable
access-list LAN-->DMZ extended permit udp any any range 33434 33464
access-list LAN-->DMZ deny ip any any log

no access-group DMZ-->LAN out interface LAN
no access-group LAN-->DMZ out interface DMZ

access-group LAN-->DMZ in interface LAN
access-group DMZ-->LAN in interface DMZ

policy-map global_policy

  class inspection_default

    inspect icmp error

    inspect icmp

  class class-default

    set connection decrement-ttl

Note: Provided your workstations have the correct default gateway set in LAN and DMZ.

Hi Jeniffer,

I need NAT in future. Actually I started to configure this firewall but in first stage I faced this issue and that's why I permitted anything in two direction.

In that case, pls configure the following instead:

static (DMZ,LAN) 172.30.0.0 172.30.0.0 netmask 255.255.255.0

static (DMZ,LAN) 172.20.4.64 172.20.4.64 netmask 255.255.255.252

Then "clear xlate" after the changes.

Problem still exist. I have tested it on ASA5520 and there is no problem on that. Is there diffrence between them in rules?

No, there is no difference at all between 5520 and 5510 as far as software and configuration is concern, they should behave in exactly the same way.

Are you trying to ping the host or interface of the ASA?

Just FYI, you can't ping cross interface, ie: from a host on LAN you can't ping ASA DMZ interface and vice versa. You can only ping through the ASA, ie: from host on LAN towards host on DMZ and vice versa.

Please advise what you are trying to ping to and from, and also run "debug icmp trace" to see if the ASA is receiving and replying to the ICMP packets.

I want to ping through ASA. From host on LAN towards host on DMZ. Debug icmp shows that packet is coming from LAN interface to DMZ, but no reply is sent back.

Can you please advise what ip address you are trying to ping from and to?

Also does the DMZ host and/or 172.20.4.66 device knows to route back towards the ASA DMZ Interface IP for access towards LAN host?

Can you ping between the 172.20.4.66 and 172.20.4.1 devices through the ASA?

Hi i am sending topology and running config ,i hope it will help you.

i am able to recieve icmp packet from lan to dmz and dmz to lan

!

interface GigabitEthernet0

nameif management

security-level 100

ip address 10.1.1.1 255.0.0.0

!

interface GigabitEthernet1

nameif outside

security-level 0

ip address 20.1.1.1 255.0.0.0

!

interface GigabitEthernet2

nameif LAN

security-level 50

ip address 172.20.4.2 255.255.255.252

!

interface GigabitEthernet3

nameif DMZ

security-level 100

ip address 172.20.4.65 255.255.255.252

!

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list LAN_access_in extended permit icmp any any

access-list LAN_access_out extended permit ip any any

access-list DMZ_access_in extended permit ip any any

access-list DMZ_access_out extended permit ip any any

pager lines 24

mtu management 1500

mtu outside 1500

mtu LAN 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group LAN_access_in in interface LAN

access-group LAN_access_out out interface LAN

access-group DMZ_access_in in interface DMZ

access-group DMZ_access_out out interface DMZ

route LAN 173.1.0.0 255.255.0.0 172.20.4.1 1

route DMZ 174.1.0.0 255.255.0.0 172.20.4.66 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 10.1.1.2 255.255.255.255 management

no snmp-server location

no snmp-server contact

crl configure

and boss there is also another way to do this

you can create a police map or edit default policy map

policy-map global-policy

class global-class

  inspect dns

  inspect esmtp

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect sip

  inspect skinny

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect xdmcp

inspect icmp

  inspect icmp error