Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Need a hand with DMZ

I can't seem to get this going for thie life of me, maybe a little fuzzy on the concepts but I've done this before without problems. I need the DMZ hosts to be able to ping anything we have inside and outside our network. I will lock down anything else after, right now I can't get anything in the DMZ to access anything outside or inside.

interface Ethernet0/0
description Public
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.224
!
interface Ethernet0/1
description Private
nameif inside
security-level 100
ip address 192.168.40.1 255.255.255.0
!
interface Ethernet0/2
description DMZ
nameif dmz
security-level 50
ip address 192.168.41.1 255.255.255.0

access-list dmz-allowed-in extended permit ip any any

access-group dmz-allowed-in in interface dmz

access-list allowed-in extended permit icmp any host 1.1.1.2

access-group allowed-in in interface outside

access-list allow-out extended permit ip 192.168.40.0 255.255.255.0 any

access-group allow-out in interface inside

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 dns
nat (dmz) 1 0.0.0.0 0.0.0.0 dns

static (inside,dmz) 192.168.40.0 192.168.40.0 netmask 255.255.255.0

static (dmz,outside) 1.1.1.2 192.168.41.10 netmask 255.255.255.255

Packet tracer from inside to dmz host 192.168.41.1 says its dropped by implicit rules

Packet tracer from dmz to inside host 192.168.40.1 says its dropped by implicit rules             
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Packet tracer from outside to dmz host's public address says its allowed

Packet tracer from dmz to outside address says its allowed

It would see at least ping to the outside from DMZ should work but it doesn't.

15 REPLIES
Cisco Employee

Need a hand with DMZ

Do you have "inspect icmp" configured?

Community Member

Need a hand with DMZ

Yes at the moment but I have tested with it disabled and same results.

Cisco Employee

Need a hand with DMZ

It should be enabled, not disabled.

Community Member

Need a hand with DMZ

And it is.

Cisco Employee

Need a hand with DMZ

This sounds wrong:

Packet tracer from inside to dmz host 192.168.41.1 says its dropped by implicit rules

Packet tracer from dmz to inside host 192.168.40.1 says its dropped by implicit rules  

Both addresses are assigned to your ASA firewall interfaces, so you can't have host with that IP Address.

Community Member

Need a hand with DMZ

Ah yes, bad examples, so I redid them with .10 addresses and they say they are supposed to be passed on.

Cisco Employee

Need a hand with DMZ

Great, that means nothing wrong with the ASA config.

You might want to check the host itself, correct subnet mask? correct default gateway? connected to the correct VLAN/etc?

Community Member

Re: Need a hand with DMZ

So, host in the dmz, connected to vlan 6, DMZ interface in vlan 6.

Public side connected to vlan 3

Host inside connected to vlan 1, inside interface in vlan 1.

Both use the ASA as their default gateway.

Cisco Employee

Need a hand with DMZ

Run "debug icmp trace" and see if you are getting the echo and/or echo-reply on the ASA

OR/ do packet capture on the ASA and see if echo is reaching and leaving the ASA, and if echo-reply is reaching and leaving the ASA.

Community Member

Re: Need a hand with DMZ

Yes I get the echo request and reply

Cisco Employee

Re: Need a hand with DMZ

Is the echo reply leaving the firewall?

Community Member

Re: Need a hand with DMZ

I didn't do an actual packet capture on the host yet but it would seem it is from the debug.

Sending 5, 100-byte ICMP Echos to 192.168.41.10, timeout is 2 seconds:

ICMP echo request from 192.168.41.1 to 192.168.41.10 ID=23829 seq=42700 len=72

ICMP echo reply from 192.168.41.10 to 192.168.41.1 ID=23829 seq=42700 len=72

!ICMP echo request from 192.168.41.1 to 192.168.41.10 ID=23829 seq=42700 len=72

!!ICMP echo reply from 192.168.41.10 to 192.168.41.1 ID=23829 seq=42700 len=72

ICMP echo request from 192.168.41.1 to 192.168.41.10 ID=23829 seq=42700 len=72

!ICMP echo reply from 192.168.41.10 to 192.168.41.1 ID=23829 seq=42700 len=72

ICMP echo request from 192.168.41.1 to 192.168.41.10 ID=23829 seq=42700 len=72

!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Cisco Employee

Re: Need a hand with DMZ

?? Are you just pinging from ASA towards your DMZ host?

I thought you are having issue with ping through the firewall from DMZ host??

Community Member

Re: Need a hand with DMZ

Yes through the firewall. From the DMZ to internal hosts, from the DMZ to the internet.

Community Member

Re: Need a hand with DMZ

I just restarted the ASA, and it's working now without any changes done....

459
Views
0
Helpful
15
Replies
CreatePlease to create content