I have a 5520 with a basic configuraction. I cannot ping to a Server directly connected to DMZ interface from a PC in inside interface. DMZ interface is UP and from the ASA I can ping this server. The message I see in the ASA is
The adaptive security appliance denied any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted
But I have configured Allow any IP traffict from the outside interface. There is not NAT configured. Any idea why can it be?
Well, if you are trying to ping from inside host towards dmz host, you would need to configure ACL on the inside interface to allow the access, not on the outside interface because outside interface does not come in the traffic path.
You would also need to configure static translation to itself between inside and dmz, unless you have "nat-control" disable and you have no NAT statement configured at all.
Lastly, you would need to configure "inspect icmp" under the global policy on the default class inspection.
Sorry. I didn´t explain well. I have configure ACL to allow access to DMZ server. I haven´t got any NAT configured in DMZ and inspect icmp is applied. The log say there is no policy to allow this traffic, but I have a "permit any any".
Just, I solved it. I have the same security level in DMZ and Inside from I was testing (In this firewall there are 4 different inside each one with a different security level). I needed mark "Enable traffic between two or more interfaces which are configured with same security levels". I thought if you configure explicit rules it was not necessary. I was wrong :-)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...