[...]just below, are some totally unrelated sites to ours, however, they are definitely worth checking out[...]…

It can be my ignorance, but in Solution:1 you’ve created an ACL on Outside interface in incoming direction i.e. flow direction from Outside to Inside and then you’re saying if we want to ping from Inside/DMZ to Outside. Do you think it is correct?

Regards,

Sanjeev

[...]Cisco ASA and ICMP Configurations at jklogic.net[...]…

I just finished trying to configure my ASA5520 v7..

But my problem is: from the inside how do i allow ping to the dmz?
On the otherside, the Servers on dmz dont have internet access.
So can anyone have a closer look at my bellow sh run and figure out why are my servers on dmz dont have internet? and how do i allow ping to the dmz since from the inside network i cant access the dmz by pingin the 172.16.16.80 for the www and 172.16.16.25 for the smtp mail server

here is the sh run

ciscoasa(config)# sh run
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name parlamento.ao
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description Link to Gateway
nameif outside
security-level 0
ip address 41.223.156.109 255.255.255.248
!
interface GigabitEthernet0/1
description Link to Local Lan
nameif inside
security-level 100
ip address 10.1.4.1 255.255.252.0
!
interface GigabitEthernet0/2
description Link to dmz
nameif dmz
security-level 50
ip address 172.16.16.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list outside_in extended permit tcp any host 41.223.156.106 eq smtp
access-list outside_in extended permit tcp any host 41.223.156.107 eq www
access-list dmz_int extended permit tcp host 172.16.16.25 any eq smtp
access-list dmz_int extended permit tcp host 172.16.16.80 any eq www
access-list outside_int extended permit tcp any host 41.223.156.106 eq smtp
access-list outside_int extended permit icmp any any
access-list INSIDE extended permit ip 10.1.4.0 255.255.252.0 any
access-list OUT-TO-DMZ extended permit icmp any any log
access-list OUT-TO-DMZ extended deny ip any any
access-list inside extended permit tcp any any eq pop3
access-list inside extended permit tcp any any eq smtp
access-list inside extended permit tcp any any eq ssh
access-list inside extended permit tcp any any eq https
access-list inside extended permit udp any any eq domain
access-list inside extended permit tcp any any eq domain
access-list inside extended permit tcp any any eq www
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list dmz extended permit ip any any
access-list dmz extended permit icmp any any
access-list DMZ_IN extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply
access-list cap extended permit ip 172.16.16.0 255.255.255.0 10.1.4.0 255.255.252.0
access-list cap extended permit ip 10.1.4.0 255.255.252.0 172.16.16.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 10.1.4.0 255.255.252.0
static (inside,dmz) 10.1.4.0 10.1.4.0 netmask 255.255.252.0
static (dmz,outside) 41.223.156.106 172.16.16.25 netmask 255.255.255.255
static (dmz,outside) 41.223.156.107 172.16.16.80 netmask 255.255.255.255
access-group dmz_int in interface dmz
access-group inside in interface inside

route outside 0.0.0.0 0.0.0.0 41.223.156.108 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username tchipa password JUU.kVt2Und.Vd23 encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 10.1.4.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.1.4.100 255.255.255.255 inside
ssh timeout 10
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:48ba8cf4e31f2940e44293256d84ce38
: end

I thank everyone in advance indeed

BD

It looks like the issue is that you are configured to perform NAT on the packets originating from the LAN destined to the DMZ.

static (inside,dmz) 10.1.0.0 10.1.16.0 netmask 255.255.252.0

I would remove the static command above.

I don’t think NAT is needed here so I would create a rule to not perform NAT then these two networks communicate.

access-list InsideNoNAT_ACL permit ip 10.1.4.1 255.255.252.0 172.16.16.1 255.255.255.0

nat (inside) 0 access-list InsideNoNAT_ACL

Hopefully that will take care of the problem for you.

James

My internal PCs cannot communicate to the DMZ to access the www plus the mail server-
Im a bit new to the game and therefore im n not tchat good at all.. please help

bellow is my ASA sh run

ASA Version 7.0(8)
!
hostname ASA2
domain-name parlamento.ao

names
dns-guard
!
interface GigabitEthernet0/0
description “Link-To-GW-Router”
nameif outside
security-level 0
ip address 41.223.156.109 255.255.255.248
!
interface GigabitEthernet0/1
description Link To Local Lan
nameif inside
security-level 100
ip address 10.1.4.1 255.255.252.0
!
interface GigabitEthernet0/2
description “Link-To-DMZ”
nameif dmz
security-level 50
ip address 172.16.16.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list INSIDE extended permit ip 10.1.4.0 255.255.252.0 any
access-list OUT-TO-DMZ extended permit tcp any host 41.223.156.107 eq smtp
access-list OUT-TO-DMZ extended permit tcp any host 41.223.156.106 eq www
access-list OUT-TO-DMZ extended permit icmp any any log
access-list OUT-TO-DMZ extended deny ip any any
access-list inside extended permit tcp any any eq pop3
access-list inside extended permit tcp any any eq smtp
access-list inside extended permit tcp any any eq ssh
access-list inside extended permit tcp any any eq telnet
access-list inside extended permit tcp any any eq https
access-list inside extended permit udp any any eq domain
access-list inside extended permit tcp any any eq domain
access-list inside extended permit tcp any any eq www
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list dmz extended permit ip any any
access-list dmz extended permit icmp any any
access-list DMZ_IN extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list cap extended permit ip 172.16.16.0 255.255.255.0 10.1.4.0 255.255.25
2.0
access-list cap extended permit ip 10.1.4.0 255.255.252.0 172.16.16.0 255.255.25
5.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.1.4.0 255.255.252.0
static (dmz,outside) tcp 41.223.156.106 www 172.16.16.80 www netmask 255.255.255
.255
static (dmz,outside) tcp 41.223.156.107 smtp 172.16.16.25 smtp netmask 255.255.2
55.255
static (inside,dmz) 10.1.0.0 10.1.16.0 netmask 255.255.252.0
access-group OUT-TO-DMZ in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 41.223.156.108 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:30d296dea4f5ffc1dd4560e075d47076
: end

Thanx alot for time and cooperation in advanced

JD

I have similar problem where I can’t ping a dest host (192.168.152.246) behind OUTSIDE interface from a source host (192.168.158.20) sitting behind MGMT interface. I will be thankful if you could help…

Extracts from my configuration as follows:

! —- Begin —-
ASA Version 8.3(1)
!
:
:
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 192.168.152.248 255.255.255.0
!
interface Management0/0
nameif MGMT
security-level 99
ip address 192.168.158.248 255.255.255.0
management-only
!
boot system disk0:/asa831-k8.bin
ftp mode passive
!
:
access-list OUTSIDE-IN extended permit ip 192.168.152.0 255.255.255.0 192.168.158.0 255.255.255.0
access-list OUTSIDE-IN extended permit icmp any any echo-reply
access-list OUTSIDE-IN extended permit icmp any any time-exceeded
access-list OUTSIDE-IN extended permit icmp any any echo
access-list OUTSIDE-IN extended permit icmp any interface OUTSIDE
:
:
:
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.152.0 255.255.255.0 OUTSIDE
icmp permit 192.168.158.0 255.255.255.0 MGMT
:
:
access-group OUTSIDE_IN in interface OUTSIDE
:
:
! —– END —-

Any wrong with above configuration? Or missing any setting? Do I need a static NAT? If so, is the following statement correct?

ciscoasa(config)# object network mgmt_static
ciscoasa(config-network-object)# host 192.168.158.20
ciscoasa(config-network-object)# nat (MGMT,OUTSIDE) static 192.168.152.250

Thanks in advance

tanlc

Hopefully you can help.

- I’d like to test PING, TRACEROUTE and TELNET connectivity through the FW from one side to the other.

I wanted to know if the default behavior of the ASA 5550 rev 8.3.1 has changed to allow icmp across the box so that I can test connectivity using ICMP from the INSIDE interface to the OUTSIDE interface. When I issue a Packet-Tracer command the final line shows ACTION: Allow, but, I do not get !!!!! replies, I only see ….. . My Globa Policy allow icmp to be inspected, I have an access-list on the outside interface. What am I missing?

Thanks for your help in advance.

Vern B

So to make it clear. On an ASA you can’t ping the outside interface from a host sitting behind the inside interface.

inspect icmp won’t help.

Did I get it right?

Cheers,
Daniel