Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
358
Views
0
Helpful
1
Replies

New DMZ zone IP not reachable

Go to solution
srikanth ath
Level 4
Level 4

‎01-24-2014 06:47 AM - edited ‎03-07-2019 05:46 PM

  Hi Genious..

                

I have built up the new DMZ zone on my firewall and couldn’t access/receive ping responses to Its IP X.X.236.97 from inside interface connected hosts.

Currently there is no ACL applied for DMZ3. Im looking for communication from inside interfaces host to DMZ3 interface IP where it is not working? What would be the issue am I missing anything Basics here. The acl applied to inside interface is allowed for any ip to ip communication.

interface TenGigabitEthernet1/3.782

description DMZ3

nameif DMZ3

security-level 40

ip address X.X236.97 255.255.255.224 standby X.X236.98

interface Inside

description Global Inside

nameif Inside

security-level 100

ip address X.X249.161 255.255.255.248 standby X.X249.162

HYD-5585X-ASA/Global# sh nameif

HYD-5585X-ASA/Global# sh nameif

Interface                                             Name                                                 Security

Outside                                               Outside                                               0

Inside                                                   Inside                                                   100

TenGigabitEthernet1/3.782         DMZ3                                                   40

HYD-5585X-ASA/Global#

ACL permitted:

access-list Inside_access_in extended permit ip any4 any4

HYD-5585X-ASA/Global# sh run | in access-group

access-group Outside_access_in in interface Outside

access-group Inside_access_in in interface Inside

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-24-2014 06:51 AM

Srikanth

1) is there a route to the DMZ subnet ?

2) even if there is a route you cannot ping across the firewall to another interface ie. you can ping the DMZ interface IP from the DMZ but not from the inside or coming in on any other interface. This is a built in security feature on the firewall.

To test you need to try and ping from the inside a device in the DMZ not the DMZ interface IP.

Jon

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-24-2014 06:51 AM

Srikanth

1) is there a route to the DMZ subnet ?

2) even if there is a route you cannot ping across the firewall to another interface ie. you can ping the DMZ interface IP from the DMZ but not from the inside or coming in on any other interface. This is a built in security feature on the firewall.

To test you need to try and ping from the inside a device in the DMZ not the DMZ interface IP.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card