DISCUSSION (No Title)

aung.htwe — Tue, 12 Mar 2019 03:55:11 GMT

Hi,

I cannot ping from LAN to DMZ public IP address.

I can ping to DMZ internal 172.16.0.x address from LAN.

DMZ LAN also can ping to Internal LAN.

If I add this config "static (DMZ,Inside) x.x.x.61 172.16.0.12 netmask 255.255.255.255"

Internal LAN cannot ping to DMZ private IP address. I can ping to DMZ public IP address.

I want to ping from LAN to DMZ private IP and DMZ Public IP address.

Please help me...

ASA Version 7.2(4)34
!
hostname ASAKT

names
!
interface Ethernet0/0
description Link to Starhub
nameif Outside
security-level 0
ip address x.x.x.x 255.255.255.240
!
interface Ethernet0/1
description Link to Internal 100.x
nameif Inside
security-level 100
ip address 192.168.100.254 255.255.255.0
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.100
vlan 100
nameif DMZ100
security-level 50
ip address 172.16.100.254 255.255.255.0
!
interface Ethernet0/2.101
vlan 101
nameif DMZ101
security-level 50
ip address 172.16.101.254 255.255.255.0
!
interface Ethernet0/2.102
vlan 102
nameif DMZ102
security-level 50
ip address 172.16.102.254 255.255.255.0
!
interface Ethernet0/2.103
vlan 103
nameif DMZ103
security-level 50
ip address 172.16.103.254 255.255.255.0
!
interface Ethernet0/2.104
vlan 104
nameif DMZ104
security-level 50
ip address 172.16.104.254 255.255.255.0
!
interface Ethernet0/2.105
vlan 105
nameif DMZ105
security-level 50
ip address 172.16.105.254 255.255.255.0
!
interface Ethernet0/2.106
vlan 106
nameif DMZ106
security-level 50
ip address 172.16.106.254 255.255.255.0
!
interface Ethernet0/2.107
vlan 107
nameif DMZ107
security-level 50
ip address 172.16.107.254 255.255.255.0
!
interface Ethernet0/2.108
vlan 108
nameif DMZ108
security-level 50
ip address 172.16.108.254 255.255.255.0
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Ethernet0/3.10
vlan 10
nameif DMZ
security-level 50
ip address 172.16.0.254 255.255.255.0
!
interface Ethernet0/3.100
no vlan
no nameif
no security-level
no ip address
!
interface Ethernet0/3.101
no vlan
no nameif
no security-level
no ip address
!
interface Ethernet0/3.102
no vlan
no nameif
no security-level
no ip address
!
interface Ethernet0/3.103
no vlan
no nameif
no security-level
no ip address
!
interface Ethernet0/3.104
no vlan
no nameif
no security-level
no ip address
!
interface Ethernet0/3.105
no vlan
no nameif
no security-level
no ip address
!
interface Ethernet0/3.106
no vlan
no nameif
no security-level
no ip address
!
interface Ethernet0/3.107
no vlan
no nameif
no security-level
no ip address
!
interface Ethernet0/3.108
no vlan
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
banner motd Do not attempt unauthorized access.
banner motd Do not attempt unauthorized access.
banner motd Do not attempt unauthorized access.
banner motd Do not attempt unauthorized access.
banner motd Do not attempt unauthorized access.
banner motd Do not attempt unauthorized access.
banner motd Do not attempt unauthorized access.
banner motd Do not attempt unauthorized access.
boot system disk0:/asa724-34-k8.bin
ftp mode passive
clock timezone MYT 8
dns server-group DefaultDNS
domain-name sxxxxxx

same-security-traffic permit intra-interface
object-group service TCP7760 tcp
port-object eq 7760
object-group service UDP7760 udp
port-object eq 7760
access-list Outside_in_DMZ extended permit tcp any host x.x.x.58 eq 3389
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 eq 3389
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 eq 3478
access-list Outside_in_DMZ extended permit udp any host x.x.x.52 eq 3478
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 eq 5349
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 eq https
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 eq www
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 eq domain
access-list Outside_in_DMZ extended permit udp any host x.x.x.52 eq domain
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 eq 5269
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 range 50000 59999
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 eq 3389
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 eq 3478
access-list Outside_in_DMZ extended permit udp any host x.x.x.53 eq 3478
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 eq 5349
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 eq https
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 eq www
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 eq domain
access-list Outside_in_DMZ extended permit udp any host x.x.x.53 eq domain
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 eq 5269
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 range 50000 59999
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 range sip 5065
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 range sip 5065
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 eq 3389
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 eq 3478
access-list Outside_in_DMZ extended permit udp any host x.x.x.54 eq 3478
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 eq 5349
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 eq https
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 eq www
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 eq domain
access-list Outside_in_DMZ extended permit udp any host x.x.x.54 eq domain
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 eq 5269
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 range 50000 59999
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 range sip 5065
access-list Outside_in_DMZ extended permit tcp any host x.x.x.55 eq 3389
access-list Outside_in_DMZ extended permit tcp any host x.x.x.55 eq 3478
access-list Outside_in_DMZ extended permit udp any host x.x.x.55 eq 3478
access-list Outside_in_DMZ extended permit tcp any host x.x.x.55 eq 5349
access-list Outside_in_DMZ extended permit tcp any host x.x.x.55 eq https
access-list Outside_in_DMZ extended permit tcp any host x.x.x.55 eq www
access-list Outside_in_DMZ extended permit tcp any host x.x.x.55 eq domain
access-list Outside_in_DMZ extended permit udp any host x.x.x.55 eq domain
access-list Outside_in_DMZ extended permit tcp any host x.x.x.55 eq 5269
access-list Outside_in_DMZ extended permit tcp any host x.x.x.55 range 50000 59999
access-list Outside_in_DMZ extended permit tcp any host x.x.x.55 range sip 5065
access-list Outside_in_DMZ extended permit tcp any host x.x.x.57 eq domain
access-list Outside_in_DMZ extended permit udp any host x.x.x.57 eq domain
access-list Outside_in_DMZ extended permit tcp any host x.x.x.56 eq 3478
access-list Outside_in_DMZ extended permit udp any host x.x.x.56 eq 3478
access-list Outside_in_DMZ extended permit tcp any host x.x.x.56 eq 5349
access-list Outside_in_DMZ extended permit tcp any host x.x.x.56 eq https
access-list Outside_in_DMZ extended permit tcp any host x.x.x.56 eq www
access-list Outside_in_DMZ extended permit tcp any host x.x.x.56 eq domain
access-list Outside_in_DMZ extended permit udp any host x.x.x.56 eq domain
access-list Outside_in_DMZ extended permit tcp any host x.x.x.56 eq 5269
access-list Outside_in_DMZ extended permit tcp any host x.x.x.56 range 50000 59999
access-list Outside_in_DMZ extended permit tcp any host x.x.x.56 range sip 5065
access-list Outside_in_DMZ extended permit tcp any host x.x.x.57 eq www
access-list Outside_in_DMZ extended permit tcp any host x.x.x.57 eq https
access-list Outside_in_DMZ extended permit tcp any host x.x.x.57 eq 3389
access-list Outside_in_DMZ extended permit udp any host x.x.x.56 range 50000 59999
access-list Outside_in_DMZ extended permit tcp any host x.x.x.57 eq 88
access-list Outside_in_DMZ extended permit tcp any host x.x.x.57 eq 81
access-list Outside_in_DMZ extended permit icmp any host x.x.x.57
access-list Outside_in_DMZ extended permit tcp any host 192.168.100.2 range 40000 64999
access-list Outside_in_DMZ extended permit udp any host 192.168.100.2 range 40000 64999
access-list Outside_in_DMZ extended permit tcp host x.x.x.8 host 192.168.100.2 range 40000 64999
access-list Outside_in_DMZ extended permit udp host x.x.x.8 host 192.168.100.2 range 40000 64999
access-list Outside_in_DMZ extended permit udp host x.x.x.8 host x.x.x.56 eq 7760
access-list Outside_in_DMZ extended permit tcp host x.x.x.8 host x.x.x.56 eq 7760
access-list Outside_in_DMZ extended permit tcp any host 192.168.100.13 eq 7760
access-list Outside_in_DMZ extended permit udp any host 192.168.100.13 eq 7760
access-list Outside_in_DMZ extended permit icmp any host x.x.x.56
access-list Outside_in_DMZ extended permit tcp any host x.x.x.56 eq 3389
access-list Outside_in_DMZ extended permit icmp any any time-exceeded
access-list Outside_in_DMZ extended permit icmp any any unreachable
access-list Outside_in_DMZ extended permit icmp any any
access-list Outside_in_DMZ extended permit icmp any any source-quench
access-list Outside_in_DMZ extended permit icmp any any echo
access-list Outside_in_DMZ extended permit tcp any host x.x.x.56 eq sip
access-list Outside_in_DMZ extended permit udp any host x.x.x.56 eq sip
access-list Outside_in_DMZ extended permit udp host x.x.x.8 host x.x.x.56 eq sip
access-list Outside_in_DMZ extended permit tcp host x.x.x.8 host x.x.x.56 eq sip
access-list Outside_in_DMZ extended permit tcp any host 192.168.100.13 eq sip
access-list Outside_in_DMZ extended permit udp any host 192.168.100.13 eq sip
access-list Outside_in_DMZ extended permit tcp any host x.x.x.50 eq 1000
access-list Outside_in_DMZ extended permit tcp any host x.x.x.50 eq 1001
access-list Outside_in_DMZ extended permit tcp any host x.x.x.50 eq 1002
access-list Outside_in_DMZ extended permit gre any host x.x.x.51
access-list Outside_in_DMZ extended permit udp any host x.x.x.51 eq isakmp
access-list Outside_in_DMZ extended permit udp any host x.x.x.51 eq 47
access-list Outside_in_DMZ extended permit tcp any host x.x.x.51 eq 47
access-list Outside_in_DMZ extended permit tcp any host x.x.x.51 eq pptp
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 eq 5949
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 eq 6049
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 eq 6149
access-list Outside_in_DMZ extended permit icmp any host x.x.x.59
access-list Outside_in_DMZ extended permit icmp any host x.x.x.60
access-list Outside_in_DMZ extended permit ip any host x.x.x.59
access-list Outside_in_DMZ extended permit ip any host x.x.x.60
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 eq sip
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 eq 5061
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 eq 5061
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 eq sip
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 eq sip
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 eq 5061
access-list Outside_in_DMZ extended permit tcp any host x.x.x.62 eq www
access-list Outside_in_DMZ extended permit tcp any host x.x.x.62 eq https
access-list Outside_in_DMZ extended permit tcp any host x.x.x.62 eq 3389
access-list Outside_in_DMZ extended permit tcp any host x.x.x.62 eq 88
access-list Outside_in_DMZ extended permit tcp any host x.x.x.62 eq 81
access-list Outside_in_DMZ extended permit icmp any host x.x.x.62
access-list Outside_in_DMZ extended permit tcp any host x.x.x.62 eq domain
access-list Outside_in_DMZ extended permit udp any host x.x.x.62 eq domain
access-list Outside_in_DMZ extended permit ip any host x.x.x.58
access-list Outside_in_DMZ extended permit ip any host x.x.x.69
access-list Outside_in_DMZ extended permit tcp any host x.x.x.61 eq smtp
access-list Outside_in_DMZ extended permit tcp any host x.x.x.61 eq domain
access-list Outside_in_DMZ extended permit udp any host x.x.x.61 eq www
access-list Outside_in_DMZ extended permit tcp any host x.x.x.61 eq pop3
access-list Outside_in_DMZ extended permit tcp any host x.x.x.61 eq imap4
access-list Outside_in_DMZ extended permit tcp any host x.x.x.61 eq https
access-list Outside_in_DMZ extended permit tcp any host x.x.x.61 eq 587
access-list Outside_in_DMZ extended permit udp any host x.x.x.61 eq 993
access-list Outside_in_DMZ extended permit tcp any host x.x.x.61 eq 2220
access-list Outside_in_DMZ extended permit udp any host x.x.x.61 eq domain
access-list Outside_in_DMZ extended permit udp any host x.x.x.51 eq 22545
access-list Outside_in_DMZ extended permit tcp any host x.x.x.51 eq 22545
access-list Outside_in_DMZ extended permit udp any host x.x.x.51 eq 22544
access-list Outside_in_DMZ extended permit tcp any host x.x.x.51 eq 22544
access-list Outside_in_DMZ extended permit udp any host x.x.x.51 eq 22543
access-list Outside_in_DMZ extended permit tcp any host x.x.x.51 eq 22543
access-list Outside_in_DMZ extended permit udp any host x.x.x.51 eq 22542
access-list Outside_in_DMZ extended permit tcp any host x.x.x.51 eq 22542
access-list Outside_in_DMZ extended permit udp any host x.x.x.51 eq 22541
access-list Outside_in_DMZ extended permit tcp any host x.x.x.51 eq 22541
access-list Outside_in_DMZ extended permit udp any host x.x.x.51 eq 22540
access-list Outside_in_DMZ extended permit tcp any host x.x.x.51 eq 22540
access-list Outside_in_DMZ extended permit udp any host x.x.x.60 eq 22540
access-list Outside_in_DMZ extended permit tcp any host x.x.x.60 eq 22540
access-list Outside_in_DMZ extended permit udp any host x.x.x.60 eq 22541
access-list Outside_in_DMZ extended permit tcp any host x.x.x.60 eq 22541
access-list Outside_in_DMZ extended permit udp any host x.x.x.60 eq 22542
access-list Outside_in_DMZ extended permit tcp any host x.x.x.60 eq 22542
access-list Outside_in_DMZ extended permit udp any host x.x.x.60 eq 22543
access-list Outside_in_DMZ extended permit tcp any host x.x.x.60 eq 22543
access-list Outside_in_DMZ extended permit udp any host x.x.x.60 eq 22544
access-list Outside_in_DMZ extended permit tcp any host x.x.x.60 eq 22544
access-list Outside_in_DMZ extended permit udp any host x.x.x.60 eq 22545
access-list Outside_in_DMZ extended permit tcp any host x.x.x.60 eq 22545
access-list Outside_in_DMZ extended permit udp any host x.x.x.58 eq www
access-list Outside_in_DMZ extended permit tcp any host x.x.x.58 eq https
access-list Outside_in_DMZ extended permit icmp any host x.x.x.58
access-list DMZ_in_Internal extended permit ip any any
access-list Inside_in_Internal extended permit ip 192.168.100.0 255.255.255.0 host 172.16.0.5
access-list Inside_in_Internal extended permit tcp 192.168.100.0 255.255.255.0 host 172.16.0.5 eq www
access-list Inside_in_Internal extended permit ip 192.168.100.0 255.255.255.0 host 172.16.0.13
access-list Inside_in_Internal extended permit tcp 192.168.100.0 255.255.255.0 host 172.16.0.13 eq www
access-list Inside_in_Internal extended permit tcp 192.168.100.0 255.255.255.0 host 172.16.0.13 eq https
access-list Inside_access_in extended permit tcp host x.x.x.8 host 192.168.100.13 object-group TCP7760
access-list Inside_access_in extended permit udp host x.x.x.8 host 192.168.100.13 object-group UDP7760
access-list Pfingo_In extended permit tcp host x.x.x.8 host 192.168.100.13 eq 7760
access-list Pfingo_In extended permit udp host x.x.x.8 host 192.168.100.13 eq 7760
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.120.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.130.0 255.255.255.0
access-list INSIDE-NAT0 extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 102 extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 192.168.50.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.100.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.50.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 192.168.100.0 255.255.255.0 192.168.120.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 192.168.50.0 255.255.255.0 192.168.120.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.120.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list splittun-vpngrup1 extended permit ip 192.168.100.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list splittun-vpngrup1 extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list splittun-vpngrup1 extended permit ip 192.168.110.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list splittun-vpngrup1 extended permit ip 192.168.120.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 192.168.100.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 192.168.110.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 192.168.120.0 255.255.255.0
access-list DMZ_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu DMZ100 1500
mtu DMZ101 1500
mtu DMZ102 1500
mtu DMZ103 1500
mtu DMZ104 1500
mtu DMZ105 1500
mtu DMZ106 1500
mtu DMZ107 1500
mtu DMZ108 1500
mtu DMZ 1500
mtu management 1500
ip local pool ippool 192.168.50.10-192.168.50.40 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
global (DMZ100) 101 interface
global (DMZ101) 101 interface
global (DMZ102) 101 interface
global (DMZ103) 101 interface
global (DMZ104) 101 interface
global (DMZ105) 101 interface
global (DMZ106) 101 interface
global (DMZ107) 101 interface
global (DMZ108) 101 interface
global (DMZ) 101 interface
nat (Outside) 0 access-list outside_nat0_outbound
nat (Inside) 0 access-list inside_nat0_outbound
nat (Inside) 101 192.168.100.0 255.255.255.0
nat (DMZ100) 101 172.16.100.0 255.255.255.0
nat (DMZ101) 101 172.16.101.0 255.255.255.0
nat (DMZ102) 101 172.16.102.0 255.255.255.0
nat (DMZ103) 101 172.16.103.0 255.255.255.0
nat (DMZ104) 101 172.16.104.0 255.255.255.0
nat (DMZ105) 101 172.16.105.0 255.255.255.0
nat (DMZ106) 101 172.16.106.0 255.255.255.0
nat (DMZ107) 101 172.16.107.0 255.255.255.0
nat (DMZ108) 101 172.16.108.0 255.255.255.0
static (Inside,Outside) tcp x.x.x.50 1000 192.168.100.87 www netmask 255.255.255.255
static (Inside,Outside) tcp x.x.x.50 1001 192.168.100.88 www netmask 255.255.255.255
static (Inside,Outside) tcp x.x.x.50 1002 192.168.100.89 www netmask 255.255.255.255
static (Inside,Outside) x.x.x.56 192.168.100.13 netmask 255.255.255.255
static (DMZ,Outside) x.x.x.55 172.16.0.4 netmask 255.255.255.255
static (DMZ,Outside) x.x.x.57 172.16.0.5 netmask 255.255.255.255
static (DMZ,Outside) x.x.x.52 172.16.0.7 netmask 255.255.255.255
static (DMZ,Outside) x.x.x.53 172.16.0.8 netmask 255.255.255.255
static (DMZ,Outside) x.x.x.54 172.16.0.9 netmask 255.255.255.255
static (DMZ,Outside) x.x.x.62 172.16.0.13 netmask 255.255.255.255
static (DMZ,Outside) x.x.x.61 172.16.0.12 netmask 255.255.255.255
static (DMZ101,Outside) x.x.x.164 172.16.101.1 netmask 255.255.255.255
static (DMZ103,Outside) x.x.x.166 172.16.103.1 netmask 255.255.255.255
static (DMZ102,Outside) x.x.x.165 172.16.102.1 netmask 255.255.255.255
static (DMZ104,Outside) x.x.x.167 172.16.104.1 netmask 255.255.255.255
static (DMZ105,Outside) x.x.x.168 172.16.105.1 netmask 255.255.255.255
static (DMZ106,Outside) x.x.x.169 172.16.106.1 netmask 255.255.255.255
static (DMZ107,Outside) x.x.x.170 172.16.107.1 netmask 255.255.255.255
static (DMZ101,Outside) x.x.x.163 172.16.101.2 netmask 255.255.255.255
static (DMZ101,Outside) x.x.x.174 172.16.101.3 netmask 255.255.255.255
static (DMZ101,Outside) x.x.x.171 172.16.101.4 netmask 255.255.255.255
static (DMZ101,Outside) x.x.x.172 172.16.101.5 netmask 255.255.255.255
static (DMZ,Outside) x.x.x.59 172.16.0.6 netmask 255.255.255.255
static (Inside,Outside) x.x.x.60 192.168.100.102 netmask 255.255.255.255
static (Inside,Outside) x.x.x.58 192.168.100.189 netmask 255.255.255.255
no threat-detection statistics tcp-intercept
access-group Outside_in_DMZ in interface Outside
access-group DMZ_in_Internal in interface DMZ
route Outside 0.0.0.0 0.0.0.0 x.x.x.49 1

Thanks ,

infoakh

The reason you lose

Marius Gunnerud — Mon, 10 Mar 2014 12:31:14 GMT

The reason you lose connectivity to the DMZ when you enter the command:

static (DMZ,Inside) x.x.x.61 172.16.0.12 netmask 255.255.255.255

is because as of this point you will be NATing all ports to 172.16.0.12, so you are effectively saying that only that private IP should be reacable.

Is there a particular reason you want to be able to ping the public address of the DMZ from the internal network?

As the public IP is associated with the outside interface, the ASA will not allow you ping this IP because the packet would need to leave the outside interface and the be routed back to the ASA, so basically the ASA will see this as a spoofed packet and drop it. The only way around this is to configure NAT. But this depends really on what you are trying to do. If you just want to ping the public DMZ address for the sake of pinging it, this can become a very ugly and unstable configuration. However, if you are trying to allow users to connect to the company web server using the public IP, for example, because that is what the DNS server resolves the FQDN to then you could use DNS doctoring, depending on where the DNS server is located of course.

Please define your requirements for being able to ping the public IP of the DMZ so we can help you further.

Please remember to rate and select a correct answer

Hello, As soon as you enable

Julio Carvajal — Mon, 10 Mar 2014 12:45:12 GMT

Hello,

As soon as you enable the static nat you mentioned you will be able to only access the server via it's public IP.

Why would you like to access it via both IPs anyway?

When you point it to the public IP do the following

packet-tracer input inside tcp x.x.x.x 1025 y.y.y.y 3389

Where x.x.x it's an Internal IP

and y.y.y.y is the public IP of the server sitting on the DMZ

Regards

Hi, Thanks all your answer,

aung.htwe — Tue, 11 Mar 2014 02:31:46 GMT

Hi,

Thanks all your answer, so if I will access to Public IP from LAN,no way to access to DMZ LAN IP address?

Thanks,

infoakh

topic DISCUSSION (No Title) in Network Security

DISCUSSION (No Title)

The reason you lose

Hello, As soon as you enable

Hi, Thanks all your answer,