https://community.cisco.com/t5/network-security/dmz-server-access-problem/m-p/3937815#M26842 Additional details required as the given configuration is partial. But I think you have route issue.<BR /><BR />What is the Gateway for your Anti-Virus server 124.124.124.2?<BR />Do you have ROUTE for the DMZ server 172.16.1.100 on the ROUTER 1841?<BR />Can you post "Show ip route" on the Router?<BR />Output of the packet tracer "packet-tracer input OUTSIDE icmp 124.124.124.2 8 0 172.16.1.100 detailed<BR /><BR />To give brief explanation.<BR /><BR />Your Internal and DMZ network go through ASA to reach to Anti-Virus Server. The ASA send traffic for Anti-Virus Server on the OUTSIDE interface but it NAT the traffic with OUTSIDE IP 123.123.123.x. going out. So when it reaches to the Anti-Virus Server, It has path back to 123.123.123.x hence ping from Internal and DMZ to the Anti-Virus Server Succeed.<BR />Now when Anti-Virus Server 124.124.124.2 initial Ping to DMZ server 172.16.1.100 it sends traffic to the Gateway (Which at the moment we are not aware as if it is your Router's interface 124.124.124.1 or the ISP's Interface). If it is your Router's interface 124.124.124.1, The ROUTER must have ROUTE to that destination 172.16.1.100 sending traffic to ASA on the OUTSIDE interface. It can be Static or Dynamic ROUTE.<BR /><BR />First You should have proper ROUTE so that packet can reach to ASA.<BR />Then we can check for block on the ASA, however your ACL applied on the OUTSIDE interface allow all traffic. (These is not consider secure)<BR /><BR />I hope this helps you.<BR /><BR />HTH<BR />### RATE ALL HELPFUL RESPONSES ### Wed, 09 Oct 2019 11:01:22 GMT bhargavdesai 2019-10-09T11:01:22Z https://community.cisco.com/t5/network-security/dmz-server-access-problem/m-p/3937768#M26829 <P>We are configured Cisco ASA firewall with three network , One Router and a Switch.</P><P>One Anti-Virus server are used for antivirus server updated,&nbsp;IP 124.124.124.2 which is connected to Campus Router&nbsp;</P><P>*Campus Router Cisco 1841 Interface&nbsp;</P><P>Gig0/1 = 124.124.124.1</P><P>Gig0/0 = 123.123.123.1</P><P>&nbsp;</P><P>*Cisco ASA 5506 interface&nbsp;&nbsp;</P><P>Gig 0/1 (Inside=10.10.10.1 /24)</P><P>Gig 0/3 (DMZ = 172.16.1.0/24)</P><P>Gig 0/8 (Outside =123.123.123.0/24)</P><P>&nbsp;</P><P>All lasted AntiVirus definition update package are download Server (124.124.124.2) and it is send to DMZ server 172.16.1.100.&nbsp;</P><P>All internal endpoint are ping to DMZ server as well as 124.124.124.2 server</P><P>DMZ server 172.16.1.100 are ping to internal network as well as 124.124.124.2 server.</P><P>But when I ping Update server 124.124.124.2 to DMZ server 172.16.1.100 , Not able to ping</P><P>===================Campus Router 1841 Configuration=============</P><P>interface GigabitEthernet0/1</P><P>IP address&nbsp;124.124.124.1 255.255.255.0</P><P>&nbsp;</P><P>interface GigabitEthernet1/1</P><P>IP address 123.123.123.1 255.255.255.0</P><P>&nbsp;</P><P>Router ospf 1</P><P>network 124.124.124.0 255.255.255.0 area 0</P><P>network 123.123.123.0 255.255.255.0 area 0</P><P>==================ASA 5506 Configuration=====================&nbsp;&nbsp;</P><P>interface GigabitEthernet1/1<BR />nameif inside<BR />security-level 100<BR />ip address 10.10.10.1 255.255.255.0<BR />!<BR />interface GigabitEthernet1/8<BR />nameif outside<BR />security-level 0<BR />ip address 123.123.X.X 255.255.255.0<BR />!<BR />object network LAN<BR />subnet 10.10.10.0 255.255.255.0<BR />nat (inside,outside) dynamic interface</P><P>object network VLAN-2<BR />subnet 10.20.10.0 255.255.255.0<BR />nat (inside,outside) dynamic interface<BR />object network VLAN-3<BR />subnet 10.30.10.0 255.255.255.0<BR />nat (inside,outside) dynamic interface<BR />object network VLAN-4<BR />subnet 10.40.10.0 255.255.255.0<BR />nat (inside,outside) dynamic interface<BR />!<BR />route outside 0.0.0.0 0.0.0.0 123.123.X.1<BR />!<BR />access-list in-to-internet extended permit ip any any<BR />access-list in-to-internet extended permit icmp any any<BR />!<BR />access-group in-to-internet in interface outside<BR />access-group in-to-internet in interface dmz<BR />!<BR />class-map inspection-default<BR />match default-inspection-traffic<BR />!<BR />policy-map global-policy<BR />class inspection-default<BR />inspect dns<BR />inspect http<BR />inspect icmp<BR />!<BR />service-policy global-policy global</P> Wed, 09 Oct 2019 10:16:48 GMT https://community.cisco.com/t5/network-security/dmz-server-access-problem/m-p/3937768#M26829 dinchavan 2019-10-09T10:16:48Z https://community.cisco.com/t5/network-security/dmz-server-access-problem/m-p/3937815#M26842 Additional details required as the given configuration is partial. But I think you have route issue.<BR /><BR />What is the Gateway for your Anti-Virus server 124.124.124.2?<BR />Do you have ROUTE for the DMZ server 172.16.1.100 on the ROUTER 1841?<BR />Can you post "Show ip route" on the Router?<BR />Output of the packet tracer "packet-tracer input OUTSIDE icmp 124.124.124.2 8 0 172.16.1.100 detailed<BR /><BR />To give brief explanation.<BR /><BR />Your Internal and DMZ network go through ASA to reach to Anti-Virus Server. The ASA send traffic for Anti-Virus Server on the OUTSIDE interface but it NAT the traffic with OUTSIDE IP 123.123.123.x. going out. So when it reaches to the Anti-Virus Server, It has path back to 123.123.123.x hence ping from Internal and DMZ to the Anti-Virus Server Succeed.<BR />Now when Anti-Virus Server 124.124.124.2 initial Ping to DMZ server 172.16.1.100 it sends traffic to the Gateway (Which at the moment we are not aware as if it is your Router's interface 124.124.124.1 or the ISP's Interface). If it is your Router's interface 124.124.124.1, The ROUTER must have ROUTE to that destination 172.16.1.100 sending traffic to ASA on the OUTSIDE interface. It can be Static or Dynamic ROUTE.<BR /><BR />First You should have proper ROUTE so that packet can reach to ASA.<BR />Then we can check for block on the ASA, however your ACL applied on the OUTSIDE interface allow all traffic. (These is not consider secure)<BR /><BR />I hope this helps you.<BR /><BR />HTH<BR />### RATE ALL HELPFUL RESPONSES ### Wed, 09 Oct 2019 11:01:22 GMT https://community.cisco.com/t5/network-security/dmz-server-access-problem/m-p/3937815#M26842 bhargavdesai 2019-10-09T11:01:22Z https://community.cisco.com/t5/network-security/dmz-server-access-problem/m-p/3937855#M26849 <P>As per security policy, internet are not allowed in Campus network. Every Morning , We will connect Anti-Virus (124.124.124.2) server to internet and download latest update file. Then Anti-Virus server should be connect to Campus_Router, and all endpoint system are automatically updated.</P><P>124.124.124.2 = Anti-Virus Server for latest package download and DMZ server 172.16.1.100 is Anti-Virus server.&nbsp;</P><P>&nbsp;</P><P><SPAN>**Anti-Virus Update Server 124.124.124.2 gateway is 124.124.124.1 (which is Campus Router IP)</SPAN></P><P>** Router 1841 just configured interface and</P><P><SPAN>&nbsp; &nbsp; Router ospf 1</SPAN></P><P><SPAN>&nbsp; &nbsp; Network 124.124.124.0 255.255.255.0 area 0</SPAN></P><P><SPAN>&nbsp; &nbsp; Network 123.123.123.0 255.255.255.0 area 0</SPAN></P><P><SPAN>***&nbsp;</SPAN></P><P><SPAN>Below detail will be share ASAP</SPAN></P><P>&nbsp;</P><P><SPAN>Can you post "Show ip route" on the Router?</SPAN><BR /><SPAN>Output of the packet tracer "packet-tracer input OUTSIDE icmp 124.124.124.2 8 0 172.16.1.100 detailed</SPAN>&nbsp;</P> Wed, 09 Oct 2019 12:26:29 GMT https://community.cisco.com/t5/network-security/dmz-server-access-problem/m-p/3937855#M26849 dinchavan 2019-10-09T12:26:29Z