Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Ping through the Firewall

Hi,

I've received my ASA5510 and i'm trying to allow Ping through the Firewall between DMZ-LAN and LAN-DMZ

I use:

access-list "ICMP_LAN" permit icmp,echo,echoreply  any any

access-list "ICMP_DMZ" permit icmp,echo,echoreply  any any

I applied the access-list in each interface :

access-group ICMP_LAN permit in interface LAN

access-group ICMP_DMZ permit in interface DMZ

But it doesnt work , Packet tracert report that the packet is dropped by the default ACL which Deny All Traffic.

Any Ideas? Thanks

15 REPLIES
Cisco Employee

Re: Ping through the Firewall

Hi Thomas,

What version of ASA code are you running? Is there any NAT that should apply to this flow?

Can you post a sanitized copy of the packet tracer output and any syslogs generated when you try to ping?

-Mike

Cisco Employee

Re: Ping through the Firewall

try the following

1. allow inspect in the policy-map

2. check if you have any icmp LAN statement

you can check that in the show run or show run icmp or show run | in icmp

if you have any then remove it

Community Member

Re: Ping through the Firewall

Hi,

Sorry to be late for my reply.

I use ASA 8.2 v and ASDM 6.2. I have no ICMP LAN statement.

I've joined logs from packet tracert.

Interface LAN : 172.16.1.254

PC LAN : 172.16.1.1/16

Interface DMZ : 10.1.1.1

Private Interface for DMZ server : 10.1.1.2

PC DMZ : 194.x.x.x/29 ( public IP)

Static NAT is enable to translate :

10.1.1.2 --> 194.x.x.x.

Ping from DMZ to LAN is the Problem.

Cisco Employee

Re: Ping through the Firewall

Hi Thomas,

Could you post a sanitized config here? We can get a better picture of where things are going wrong.

Regards,

Prapanch

Cisco Employee

Re: Ping through the Firewall

I hope you are NOT trying to ping from 10.1.1.2 to 172.16.1.254 - This will not work and it is by design. You cannot ping the far side interface.

But, if you are pinging from 10.1.1.2 to 172.16.1.1

and if you have

static (LAN,DMZ) 172.16.1.0 172.16.1.0 net 255.255.255.0

with the icmp allow acl on the LAN and DMZ interfaces it should work.

Just for testing purpose throw the ACL to allow ip any any between these two test hosts 10.1.1.2 to 172.16.1.1.

enable logging

conf t

logging on

logging buffered debug

exit

sh logg | i 10.1.1.2

-KS

Community Member

Re: Ping through the Firewall

ok I've added :

static (LAN,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.0.0

ping from 10.1.1.2 to 172.16.1.1 works on packet tracert but doesn't work with ping command.

ping from 172.16.1.1 to 10.1.1.2 doesn't work.

I joined my running config and packet tracert logs.I am a bit lost ; i begin with cisco firewall.

Thanks.

Bronze

Re: Ping through the Firewall

Hi Tom,


Also add the following command,

static (LAN,DMZ) 10.0.0.0 10.0.0.0 255.0.0.0

Please let me know if that helps.


Cheers,

Nash.

Community Member

Re: Ping through the Firewall

Hi Nash,

I add your command but same problem ..

When i ping 172.16.1.1 to 10.1.1.2 on Packet Tracert, the Packet is still drop at NAT step.

Cisco Employee

Re: Ping through the Firewall

Hi Thomas,

The issue is with these static commands:

static (DMZ,LAN) 194.206.235.65 10.1.1.2 netmask 255.255.255.255
static (DMZ,LAN) 194.206.235.66 10.1.1.3 netmask 255.255.255.255

So what this means is that when you want to access the DMZ servers 10.1.1.2 and 10.1.1.3 from the LAN, you will have to do it using the IP addresses 194.206.235.65 and 194.206.235.66 respectively.

Now it comes down to your requirement, Do you want to access the DMZ servers from the LAN using their private or public IPs? If it's going to be using the Public IPs, remove the below command:

static (LAN,DMZ) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

If you would like to do it using the private IPs, remove the below commands:

static (DMZ,LAN) 194.206.235.65 10.1.1.2 netmask 255.255.255.255
static (DMZ,LAN) 194.206.235.66 10.1.1.3 netmask 255.255.255.255

Please note that if you are accessing the servers using the public IPs, you will have to ping the IP addresses 194.206.235.65 and 194.206.235.66 respectively.

Let me know if this helps!!

Regards,

Prapanch

Community Member

Re: Ping through the Firewall

Ok.I agree.I want to access the DMZ servers from the LAN using their public IPs.

It works now on packet Tracert.

But for exemple,when I use Ping command on a PC from LAN and I ping the 194.x.x.x. it doesn't work.

I'm connnected on the ASA interface directly for test. Is it a problem ?

Thanks.

Cisco Employee

Re: Ping through the Firewall

Hi,

if there is a windows or any other firewall on the DMZ servers, please disable and check if you are able to ping those. Also, please apply captures on the ASA to see how packets are flowing and if they are getting dropped:

https://supportforums.cisco.com/docs/DOC-1222

regards,

Prapanch

Community Member

Re: Ping through the Firewall

ok. done. I Have a gateway problem.

I Continue my configuration and i have another question. ( sorry )

I want to configure NAT for the LAN network. A pc from the LAN must go on the internet with the IP WAN interface.

I configure this rule :

Global (WAN) 1 interface

NAT (LAN) 1 172.16.0.0 255.255.0.0

The problem is that when I want to access my DMZ public servers from the LAN, The rule above is applied on the DMZ interface too.

So Comunication between LAN-DMZ does not work anymore.

I just specified the WAN interface in the rule so i don't understand ..

should I use some exemptions ?

Thanks

Cisco Employee

Re: Ping through the Firewall

Do you have this line in the config?

static (LAN,DMZ) 172.16.1.0 172.16.1.0 net 255.255.255.0

You need that for source address translation from the inside to dmz.

copy and paste the output of the following and tell us which network has trouble getting where?

sh run nat

sh run global

sh run static

-KS

Community Member

Re: Ping through the Firewall

I want to access the DMZ servers from the LAN using their public IPs. (I follow comment from Prapanch Ramamoorthy)
So I removed this line :

static (LAN,DMZ) 172.16.1.0 172.16.1.0 net 255.255.255.0

output of the following command :

Show run nat
NAT (LAN) 0 access-list LAN_nat0_outbound
NAT (LAN) 1 172.16.0.0 255.255.0.0

show run global
global (WAN) 1 interface

show run static
static (DMZ,LAN) 194.x.x.x 10.1.1.2 netmask 255.255.255.255
static (DMZ,LAN) 194.x.x.y 10.1.1.3 netmask 255.255.255.255
static (DMZ,WAN) 194.x.x.x 10.1.1.2 netmask 255.255.255.255
static (DMZ,WAN) 194.x.x.y 10.1.1.3 netmask 255.255.255.255

Cisco Employee

Re: Ping through the Firewall

So, does this work now?

static (LAN,DMZ) 172.16.1.0 172.16.1.0 net 255.255.255.0

and

NAT (LAN) 0 access-list LAN_nat0_outbound

The above two are the same.

-KS

1168
Views
0
Helpful
15
Replies
CreatePlease to create content