Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
963
Views
0
Helpful
15
Replies

Need a hand with DMZ

rwharris13
Level 1
Level 1

‎06-20-2012 07:21 AM - edited ‎03-11-2019 04:21 PM

I can't seem to get this going for thie life of me, maybe a little fuzzy on the concepts but I've done this before without problems. I need the DMZ hosts to be able to ping anything we have inside and outside our network. I will lock down anything else after, right now I can't get anything in the DMZ to access anything outside or inside.

interface Ethernet0/0
description Public
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.224
!
interface Ethernet0/1
description Private
nameif inside
security-level 100
ip address 192.168.40.1 255.255.255.0
!
interface Ethernet0/2
description DMZ
nameif dmz
security-level 50
ip address 192.168.41.1 255.255.255.0

access-list dmz-allowed-in extended permit ip any any

access-group dmz-allowed-in in interface dmz

access-list allowed-in extended permit icmp any host 1.1.1.2

access-group allowed-in in interface outside

access-list allow-out extended permit ip 192.168.40.0 255.255.255.0 any

access-group allow-out in interface inside

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 dns
nat (dmz) 1 0.0.0.0 0.0.0.0 dns

static (inside,dmz) 192.168.40.0 192.168.40.0 netmask 255.255.255.0

static (dmz,outside) 1.1.1.2 192.168.41.10 netmask 255.255.255.255

Packet tracer from inside to dmz host 192.168.41.1 says its dropped by implicit rules

Packet tracer from dmz to inside host 192.168.40.1 says its dropped by implicit rules             
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Packet tracer from outside to dmz host's public address says its allowed

Packet tracer from dmz to outside address says its allowed

It would see at least ping to the outside from DMZ should work but it doesn't.

Labels:
0 Helpful
15 Replies 15

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-20-2012 07:33 AM

Do you have "inspect icmp" configured?

0 Helpful

rwharris13
Level 1
Level 1
In response to Jennifer Halim

‎06-20-2012 07:40 AM

Yes at the moment but I have tested with it disabled and same results.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to rwharris13

‎06-20-2012 07:42 AM

It should be enabled, not disabled.

0 Helpful

rwharris13
Level 1
Level 1
In response to Jennifer Halim

‎06-20-2012 07:43 AM

And it is.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to rwharris13

‎06-20-2012 07:45 AM

This sounds wrong:

Packet tracer from inside to dmz host 192.168.41.1 says its dropped by implicit rules

Packet tracer from dmz to inside host 192.168.40.1 says its dropped by implicit rules  

Both addresses are assigned to your ASA firewall interfaces, so you can't have host with that IP Address.

0 Helpful

rwharris13
Level 1
Level 1
In response to Jennifer Halim

‎06-20-2012 07:49 AM

Ah yes, bad examples, so I redid them with .10 addresses and they say they are supposed to be passed on.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to rwharris13

‎06-20-2012 07:51 AM

Great, that means nothing wrong with the ASA config.

You might want to check the host itself, correct subnet mask? correct default gateway? connected to the correct VLAN/etc?

0 Helpful

rwharris13
Level 1
Level 1
In response to Jennifer Halim

‎06-20-2012 07:53 AM

So, host in the dmz, connected to vlan 6, DMZ interface in vlan 6.

Public side connected to vlan 3

Host inside connected to vlan 1, inside interface in vlan 1.

Both use the ASA as their default gateway.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to rwharris13

‎06-20-2012 07:57 AM

Run "debug icmp trace" and see if you are getting the echo and/or echo-reply on the ASA

OR/ do packet capture on the ASA and see if echo is reaching and leaving the ASA, and if echo-reply is reaching and leaving the ASA.

0 Helpful

rwharris13
Level 1
Level 1
In response to Jennifer Halim

‎06-20-2012 08:01 AM

Yes I get the echo request and reply

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to rwharris13

‎06-20-2012 08:02 AM

Is the echo reply leaving the firewall?

0 Helpful

rwharris13
Level 1
Level 1
In response to Jennifer Halim

‎06-20-2012 08:05 AM

I didn't do an actual packet capture on the host yet but it would seem it is from the debug.

Sending 5, 100-byte ICMP Echos to 192.168.41.10, timeout is 2 seconds:

ICMP echo request from 192.168.41.1 to 192.168.41.10 ID=23829 seq=42700 len=72

ICMP echo reply from 192.168.41.10 to 192.168.41.1 ID=23829 seq=42700 len=72

!ICMP echo request from 192.168.41.1 to 192.168.41.10 ID=23829 seq=42700 len=72

!!ICMP echo reply from 192.168.41.10 to 192.168.41.1 ID=23829 seq=42700 len=72

ICMP echo request from 192.168.41.1 to 192.168.41.10 ID=23829 seq=42700 len=72

!ICMP echo reply from 192.168.41.10 to 192.168.41.1 ID=23829 seq=42700 len=72

ICMP echo request from 192.168.41.1 to 192.168.41.10 ID=23829 seq=42700 len=72

!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to rwharris13

‎06-20-2012 08:09 AM

?? Are you just pinging from ASA towards your DMZ host?

I thought you are having issue with ping through the firewall from DMZ host??

0 Helpful

rwharris13
Level 1
Level 1
In response to Jennifer Halim

‎06-20-2012 08:15 AM

Yes through the firewall. From the DMZ to internal hosts, from the DMZ to the internet.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card