topic DMZ to other DMZ cannot discuss in Network Security

topic DMZ to other DMZ cannot discuss in Network Security https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048088#M403333 <HTML><HEAD></HEAD><BODY><P>I v do now but cannot arrive to ping from 172.16.254.1 to 172.30.20.1</P></BODY></HTML> Tue, 16 Oct 2012 12:14:07 GMT o.fulbert 2012-10-16T12:14:07Z DMZ to other DMZ cannot discuss https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048076#M403321 <P>Hi,</P><P></P><P>     I try to find a solution but got some problem ... </P><P></P><P>     I got Two DMZ, one name "Dmz" and other "service" I can have the same security level but not a problem. I want that traffic from Dmz to service works in some TCP port to some IP and from service to Dmz same.</P><P></P><P>     I v do access-list in interface service but when I apply it, the traffic outbound doesn't works.</P><P></P><P>     Some one have idea ? I dont want to user NAT for traffic for traffic to/from Dmz inside and service.</P><P></P><P></P><P>ASA Version 8.2(1) </P><P>!</P><P>hostname ASA5510</P><P>domain-name xxxx.com</P><P>enable password xxxx</P><P>passwd xxxxxx</P><P>names</P><P>!</P><P>interface Ethernet0/0</P><P> description Connection to Fiber Internet / Public IP</P><P> speed 100</P><P> duplex full</P><P> nameif outside</P><P> security-level 0</P><P> ip address xx.xx.xx.xx 255.255.255.0 </P><P>!</P><P>interface Ethernet0/1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 192.168.100.254 255.255.255.0 </P><P>!</P><P>interface Ethernet0/2</P><P> description Connection DMZ; </P><P> nameif Dmz   </P><P> security-level 50</P><P> ip address 172.16.254.254 255.255.255.0 </P><P>!</P><P>interface Ethernet0/3</P><P> nameif service</P><P> security-level 50</P><P> ip address 172.30.20.254 255.255.255.0 </P><P>!</P><P>interface Management0/0</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>ftp mode passive</P><P>clock timezone CEST 1</P><P>clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00</P><P>dns server-group DefaultDNS</P><P> domain-name ocea.net</P><P>object-group network DM_INLINE_NETWORK_1</P><P> network-object 192.168.100.0 255.255.255.0</P><P>object-group network DM_INLINE_NETWORK_2</P><P> network-object 172.16.254.0 255.255.255.0</P><P> network-object 192.168.100.0 255.255.255.0</P><P>object-group network DM_INLINE_NETWORK_3</P><P> network-object 172.16.254.0 255.255.255.0</P><P> network-object 192.168.100.0 255.255.255.0</P><P>object-group network DM_INLINE_NETWORK_4</P><P> network-object 192.168.100.0 255.255.255.0</P><P> network-object 172.30.20.0 255.255.255.0</P><P>object-group network DM_INLINE_NETWORK_5</P><P> network-object 172.30.20.0 255.255.255.0</P><P> network-object 192.168.100.0 255.255.255.0</P><P>access-list Enter extended permit tcp any host xx.xx.xx.201 eq 3389 </P><P>access-list Enter extended permit tcp any host xx.xx.xx.202 eq 3389 </P><P>access-list Enter extended permit tcp any host xx.xx.xx.203 eq 8080 </P><P>access-list Enter extended permit tcp any host xx.xx.xx.203 eq ftp </P><P>access-list Enter extended permit tcp any host xx.xx.xx.203 eq gopher </P><P>access-list Enter extended permit tcp any host xx.xx.xx.203 eq 63 </P><P>access-list Enter extended permit tcp any host xx.xx.xx.203 eq 11438 </P><P>access-list Enter extended permit tcp any host xx.xx.xx.203 eq https </P><P>access-list Enter extended permit tcp any host xx.xx.xx.203 eq www </P><P>access-list Enter extended permit tcp any host xx.xx.xx.203 eq pop3 </P><P>access-list Enter extended permit tcp any host xx.xx.xx.203 eq smtp </P><P>access-list Enter extended permit tcp any host xx.xx.xx.210 eq https </P><P>access-list Enter extended permit tcp any host xx.xx.xx.210 eq www </P><P>access-list Enter extended permit tcp any host xx.xx.xx.211 eq https </P><P>access-list Enter extended permit tcp any host xx.xx.xx.211 eq www </P><P>access-list Enter extended permit tcp any host xx.xx.xx.202 eq ftp </P><P>access-list Enter extended permit tcp any host xx.xx.xx.231 eq 27000 </P><P>access-list Enter extended permit tcp any host xx.xx.xx.231 eq 28001 </P><P>access-list Enter extended permit tcp any host xx.xx.xx.232 eq 2800 </P><P>access-list Enter extended permit icmp any any echo-reply </P><P>access-list Enter extended permit icmp any any source-quench </P><P>access-list Enter extended permit icmp any any unreachable </P><P>access-list Enter extended permit icmp any any time-exceeded </P><P>access-list Enter extended permit tcp any host xx.xx.xx.231 eq https </P><P>access-list Enter extended permit tcp any host xx.xx.xx.204 eq 8080 </P><P>access-list Enter extended permit tcp any host xx.xx.xx.204 eq ftp </P><P>access-list Enter extended permit tcp any host xx.xx.xx.204 eq gopher </P><P>access-list Enter extended permit tcp any host xx.xx.xx.204 eq 63 </P><P>access-list Enter extended permit tcp any host xx.xx.xx.204 eq 11438 </P><P>access-list Enter extended permit tcp any host xx.xx.xx.204 eq https </P><P>access-list Enter extended permit tcp any host xx.xx.xx.204 eq www </P><P>access-list Enter extended permit tcp any host xx.xx.xx.204 eq pop3 </P><P>access-list Enter extended permit tcp any host xx.xx.xx.204 eq smtp </P><P>access-list Enter extended permit tcp any host xx.xx.xx.232 eq 27000 </P><P>access-list Enter extended permit tcp any host xx.xx.xx.233 eq 27000 </P><P>access-list Enter extended permit tcp any host xx.xx.xx.234 eq 27000 </P><P>access-list Enter extended permit tcp any host xx.xx.xx.235 eq 27000 </P><P>access-list Enter extended permit tcp any host xx.xx.xx.232 eq 29000 </P><P>access-list Enter extended permit tcp any host xx.xx.xx.233 eq 29000 </P><P>access-list Enter extended permit tcp any host xx.xx.xx.234 eq 29000 </P><P>access-list Enter extended permit tcp any host xx.xx.xx.235 eq 29000 </P><P>access-list Enter extended permit tcp any host xx.xx.xx.231 eq 29000 </P><P>access-list ocea-groupe_splitTunnelAcl standard permit 172.16.254.0 255.255.255.0 </P><P>access-list ocea-groupe_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0 </P><P>access-list ocea-groupe_splitTunnelAcl standard permit 172.30.20.0 255.255.255.0 </P><P>access-list inside-nat0 extended permit ip object-group DM_INLINE_NETWORK_1 10.254.254.0 255.255.255.192 </P><P>access-list inside-nat0 extended permit ip object-group DM_INLINE_NETWORK_2 192.1.1.0 255.255.255.0 </P><P>access-list inside-nat0 extended permit ip object-group DM_INLINE_NETWORK_3 192.168.105.0 255.255.255.0 </P><P>access-list inside-nat0 extended permit ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0 </P><P>access-list dmz-nat0 extended permit ip 172.16.254.0 255.255.255.0 10.254.254.0 255.255.255.192 </P><P>access-list dmz-nat0 extended permit ip 172.16.254.0 255.255.255.0 10.253.253.0 255.255.255.192 </P><P>access-list dmz-nat0 extended permit ip 172.16.254.0 255.255.255.0 192.168.182.0 255.255.255.0 </P><P>access-list dmz-nat0 extended permit ip 172.16.254.0 255.255.255.0 192.1.1.0 255.255.255.0 </P><P>access-list dmz-nat0 extended permit ip 172.16.254.0 255.255.255.0 192.168.105.0 255.255.255.0 </P><P>access-list dmz-groupe_splitTunnelAcl standard permit 172.16.254.0 255.255.255.0 </P><P>access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 192.1.1.0 255.255.255.0 </P><P>access-list outside_3_cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 192.168.105.0 255.255.255.0 </P><P>access-list outside_1_cryptomap extended permit ip 172.16.254.0 255.255.255.0 192.168.182.0 255.255.255.0 </P><P>access-list Enter-DMZ extended permit icmp any any echo-reply </P><P>access-list Enter-DMZ extended permit icmp any any source-quench </P><P>access-list Enter-DMZ extended permit icmp any any unreachable </P><P>access-list Enter-DMZ extended permit icmp any any time-exceeded </P><P>access-list service-Enter extended permit ip 172.30.20.0 255.255.255.0 192.168.100.0 255.255.255.0 </P><P>access-list service-Enter extended permit ip 172.30.20.0 255.255.255.0 172.16.254.0 255.255.255.0 </P><P>access-list outside_4_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 192.168.99.0 255.255.255.0 </P><P>access-list service-nat0 extended permit ip 172.30.20.0 255.255.255.0 10.254.254.0 255.255.255.192 </P><P>access-list service-nat0 extended permit ip 172.30.20.0 255.255.255.0 10.253.253.0 255.255.255.192 </P><P>access-list service-nat0 extended permit ip 172.30.20.0 255.255.255.0 192.168.99.0 255.255.255.0 </P><P>access-list UMCPG-CRYPTOMAP extended permit ip object-group DM_INLINE_NETWORK_5 192.168.99.0 255.255.255.0 </P><P>access-list UMCPG-CRYPTOMAP extended permit ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0 </P><P></P><P>ip local pool pool1remoteuser 10.254.254.1-10.254.254.50 mask 255.255.255.0</P><P>ip local pool pool2remoteuser 10.253.253.1-10.253.253.50 mask 255.255.255.0</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>global (outside) 2 xx.xx.xx.254</P><P>global (outside) 1 xx.xx.xx.253</P><P>nat (inside) 0 access-list inside-nat0</P><P>nat (inside) 1 192.168.100.0 255.255.255.0</P><P>nat (Dmz) 0 access-list dmz-nat0</P><P>nat (Dmz) 2 172.16.254.0 255.255.255.0</P><P>nat (service) 0 access-list service-nat0</P><P>nat (service) 2 172.30.20.0 255.255.255.0</P><P>static (inside,Dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 </P><P>static (Dmz,outside) xx.xx.xx.201 172.16.254.1 netmask 255.255.255.255 </P><P>static (Dmz,outside) xx.xx.xx.xx 172.16.254.2 netmask 255.255.255.255 </P><P>static (inside,outside) xx.xx.xx.210 192.168.100.200 netmask 255.255.255.255 </P><P>static (inside,outside) xx.xx.xx.211 192.168.100.201 netmask 255.255.255.255 </P><P>static (inside,service) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 </P><P>static (service,outside) xx.xx.xx.232 172.30.20.2 netmask 255.255.255.255 </P><P>static (service,outside) xx.xx.xx.231 172.30.20.1 netmask 255.255.255.255 </P><P>static (service,outside) xx.xx.xx.233 172.30.20.3 netmask 255.255.255.255 </P><P>static (service,outside) xx.xx.xx.234 172.30.20.4 netmask 255.255.255.255 </P><P>static (service,outside) xx.xx.xx.235 172.30.20.5 netmask 255.255.255.255 </P><P>static (inside,outside) xx.xx.xx.203 192.168.100.45 netmask 255.255.255.255 </P><P>static (Dmz,outside) xx.xx.xx.204 172.16.254.246 netmask 255.255.255.255 </P><P>static (Dmz,service) 172.16.254.0 172.16.254.0 netmask 255.255.255.0 </P><P>access-group Enter in interface outside</P><P>access-group service-Enter in interface service</P><P>route outside 0.0.0.0 0.0.0.0 xx.xx.xx.193 1</P> Tue, 12 Mar 2019 00:09:49 GMT https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048076#M403321 o.fulbert 2019-03-12T00:09:49Z DMZ to other DMZ cannot discuss https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048077#M403322 <HTML><HEAD></HEAD><BODY><P>You would also need to configure:</P><P>same-security-traffic permit inter-interface</P></BODY></HTML> Tue, 16 Oct 2012 10:23:44 GMT https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048077#M403322 Jennifer Halim 2012-10-16T10:23:44Z DMZ to other DMZ cannot discuss https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048078#M403323 <HTML><HEAD></HEAD><BODY><P>I ve apply this but not works</P></BODY></HTML> Tue, 16 Oct 2012 10:29:55 GMT https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048078#M403323 o.fulbert 2012-10-16T10:29:55Z DMZ to other DMZ cannot discuss https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048079#M403324 <HTML><HEAD></HEAD><BODY><P>Can you pls advise what exactly you are testing with?</P><P>source IP, destination IP and protocol and ports would be a good start.</P><P></P><P>Also try with packet tracer to see if that works fine.</P><P></P><P>Assuming that without access-list applied to the service interface, the traffic flow is OK?</P></BODY></HTML> Tue, 16 Oct 2012 10:32:36 GMT https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048079#M403324 Jennifer Halim 2012-10-16T10:32:36Z DMZ to other DMZ cannot discuss https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048080#M403325 <HTML><HEAD></HEAD><BODY><P>I try to ping or access http  from 172.16.254.1 to 172.30.20.1. after I need to access from 172.30.20.1 to 172.16.254.1 to tcp port 26001.</P><P></P><P>When I get out access-list service, I just can have access to outside webserver and inside to service. But cannot have service to inside ping and have access to specify port.</P></BODY></HTML> Tue, 16 Oct 2012 10:39:13 GMT https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048080#M403325 o.fulbert 2012-10-16T10:39:13Z DMZ to other DMZ cannot discuss https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048081#M403326 <HTML><HEAD></HEAD><BODY><P>Thanks. Can you pls share the whole config.</P><P></P><P>For ping, do you have "inspect icmp" under the global policy-map?</P><P></P><P>I assume that both hosts have default gateway configured to be the respective ASA interfaces, right?</P><P></P><P>Also, the host only have 1 NIC?</P><P></P><P>Lastly, is there any firewall on the host that might prevent inbound access from different subnet?</P></BODY></HTML> Tue, 16 Oct 2012 10:42:31 GMT https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048081#M403326 Jennifer Halim 2012-10-16T10:42:31Z DMZ to other DMZ cannot discuss https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048082#M403327 <HTML><HEAD></HEAD><BODY><P>Yes One Gw on all host. No Fw between and 1 nic.</P><P></P><P>Yes for inspect icmp on global policy</P></BODY></HTML> Tue, 16 Oct 2012 10:46:26 GMT https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048082#M403327 o.fulbert 2012-10-16T10:46:26Z DMZ to other DMZ cannot discuss https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048083#M403328 <HTML><HEAD></HEAD><BODY><P>Fw on the host itself i mean. What OS is the host?</P></BODY></HTML> Tue, 16 Oct 2012 10:47:47 GMT https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048083#M403328 Jennifer Halim 2012-10-16T10:47:47Z DMZ to other DMZ cannot discuss https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048084#M403329 <HTML><HEAD></HEAD><BODY><P>No Firewall. Just Windows 2003 Srv.</P></BODY></HTML> Tue, 16 Oct 2012 11:50:43 GMT https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048084#M403329 o.fulbert 2012-10-16T11:50:43Z DMZ to other DMZ cannot discuss https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048085#M403330 <HTML><HEAD></HEAD><BODY><P>Sorry, just want to be sure, what about the default Windows Firewall?</P><P></P><P>Also, have you tried packet tracer on the ASA to simulate your traffic and see if it passes through OK.</P></BODY></HTML> Tue, 16 Oct 2012 11:53:13 GMT https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048085#M403330 Jennifer Halim 2012-10-16T11:53:13Z DMZ to other DMZ cannot discuss https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048086#M403331 <HTML><HEAD></HEAD><BODY><P>I ve re check. Fw is disable on two host.</P><P></P><P>I discover this command !</P><P></P><P>ASA5510# packet-tracer input service tcp 172.30.20.1 www 172.16.254.1$</P><P></P><P>Phase: 1</P><P>Type: ACCESS-LIST</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in  id=0xd9194760, priority=1, domain=permit, deny=false</P><P>        hits=109622866, user_data=0x0, cs_id=0x0, l3_type=0x8</P><P>        src mac=0000.0000.0000, mask=0000.0000.0000</P><P>        dst mac=0000.0000.0000, mask=0000.0000.0000</P><P></P><P>Phase: 2</P><P>Type: FLOW-LOOKUP</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>Found no matching flow, creating a new flow</P><P></P><P>Phase: 3</P><P>Type: UN-NAT</P><P>Subtype: static</P><P>Result: ALLOW </P><P>Config:</P><P>static (Dmz,service) 172.16.254.0 172.16.254.0 netmask 255.255.255.0 </P><P>  match ip Dmz 172.16.254.0 255.255.255.0 service any</P><P>    static translation to 172.16.254.0</P><P>    translate_hits = 21, untranslate_hits = 68</P><P>Additional Information:</P><P>NAT divert to egress interface Dmz</P><P>Untranslate 172.16.254.0/0 to 172.16.254.0/0 using netmask 255.255.255.0</P><P></P><P>Phase: 4</P><P>Type: ACCESS-LIST</P><P>Subtype: log</P><P>Result: ALLOW</P><P>Config:</P><P>access-group service-Enter in interface service</P><P>access-list service-Enter extended permit ip 172.30.20.0 255.255.255.0 172.16.254.0 255.255.255.0 </P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in  id=0xd9b21ba0, priority=12, domain=permit, deny=false</P><P>        hits=0, user_data=0xd67d6800, cs_id=0x0, flags=0x0, protocol=0</P><P>        src ip=172.30.20.0, mask=255.255.255.0, port=0</P><P>        dst ip=172.16.254.0, mask=255.255.255.0, port=0, dscp=0x0</P><P></P><P>Phase: 5      </P><P>Type: IP-OPTIONS</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in  id=0xd9010368, priority=0, domain=permit-ip-option, deny=true</P><P>        hits=100675, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0</P><P>        src ip=0.0.0.0, mask=0.0.0.0, port=0</P><P>        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P></P><P>Phase: 6</P><P>Type: NAT</P><P>Subtype: host-limits</P><P>Result: ALLOW</P><P>Config:</P><P>static (service,outside) xx.xx.xx.xx 172.30.20.1 netmask 255.255.255.255 </P><P>  match ip service host 172.30.20.1 outside any</P><P>    static translation to xx.xx.xx.xx</P><P>    translate_hits = 1554, untranslate_hits = 24401</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in  id=0xd9a1a430, priority=5, domain=host, deny=false</P><P>        hits=115779, user_data=0xd7ad1318, cs_id=0x0, reverse, flags=0x0, protocol=0</P><P>        src ip=172.30.20.1, mask=255.255.255.255, port=0</P><P>        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P></P><P>Phase: 7</P><P>Type: NAT</P><P>Subtype: </P><P>Result: DROP</P><P>Config:</P><P>nat (service) 2 172.30.20.0 255.255.255.0</P><P>  match ip service 172.30.20.0 255.255.255.0 Dmz any</P><P>    dynamic translation to pool 2 (No matching global)</P><P>    translate_hits = 1, untranslate_hits = 0</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in  id=0xd9b21568, priority=1, domain=nat, deny=false</P><P>        hits=0, user_data=0xd9b214a8, cs_id=0x0, flags=0x0, protocol=0</P><P>        src ip=172.30.20.0, mask=255.255.255.0, port=0</P><P>        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P></P><P>Result:</P><P>input-interface: service</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: Dmz</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: drop</P><P>Drop-reason: (acl-drop) Flow is denied by configured rule</P><P></P><P>ASA5510#   </P></BODY></HTML> Tue, 16 Oct 2012 12:01:33 GMT https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048086#M403331 o.fulbert 2012-10-16T12:01:33Z DMZ to other DMZ cannot discuss https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048087#M403332 <HTML><HEAD></HEAD><BODY><P>Have you "clear xlate" after the static NAT configuration?</P><P>Can you please issue "clear xlate" and test again.</P></BODY></HTML> Tue, 16 Oct 2012 12:11:33 GMT https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048087#M403332 Jennifer Halim 2012-10-16T12:11:33Z DMZ to other DMZ cannot discuss https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048088#M403333 <HTML><HEAD></HEAD><BODY><P>I v do now but cannot arrive to ping from 172.16.254.1 to 172.30.20.1</P></BODY></HTML> Tue, 16 Oct 2012 12:14:07 GMT https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048088#M403333 o.fulbert 2012-10-16T12:14:07Z DMZ to other DMZ cannot discuss https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048089#M403334 <HTML><HEAD></HEAD><BODY><P>Does it work the other way round?</P><P>Can you ping from 172.30.20.1 to 172.16.254.1? </P><P>Can you try to ping other hosts?</P></BODY></HTML> Tue, 16 Oct 2012 12:17:23 GMT https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048089#M403334 Jennifer Halim 2012-10-16T12:17:23Z DMZ to other DMZ cannot discuss https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048090#M403335 <HTML><HEAD></HEAD><BODY><P>Doesn t works. I ve try with my own laptop.</P></BODY></HTML> Tue, 16 Oct 2012 12:23:19 GMT https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048090#M403335 o.fulbert 2012-10-16T12:23:19Z DMZ to other DMZ cannot discuss https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048091#M403336 <HTML><HEAD></HEAD><BODY><P>check if your laptop have windows FW enabled.</P><P>Run "debug icmp trace" and see where it's failing</P></BODY></HTML> Tue, 16 Oct 2012 12:24:38 GMT https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048091#M403336 Jennifer Halim 2012-10-16T12:24:38Z DMZ to other DMZ cannot discuss https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048092#M403337 <HTML><HEAD></HEAD><BODY><P>nothing on the trace ... I ve check firewall on my laptop</P></BODY></HTML> Tue, 16 Oct 2012 12:38:40 GMT https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048092#M403337 o.fulbert 2012-10-16T12:38:40Z DMZ to other DMZ cannot discuss https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048093#M403338 <HTML><HEAD></HEAD><BODY><P>nothing on the trace meaning the ping doesn't even get to the firewall.</P><P></P><P>if you try to ping the firewall interface itself, do you see anything in the trace? and does the ping work?</P></BODY></HTML> Tue, 16 Oct 2012 12:40:21 GMT https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048093#M403338 Jennifer Halim 2012-10-16T12:40:21Z DMZ to other DMZ cannot discuss https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048094#M403339 <HTML><HEAD></HEAD><BODY><P>So ... I don' t understand.  I see other ping when I m on inside ping. When I ping interface I see trace but when I try to pass through the fw to dmz to service It fall ... </P></BODY></HTML> Tue, 16 Oct 2012 12:52:54 GMT https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048094#M403339 o.fulbert 2012-10-16T12:52:54Z DMZ to other DMZ cannot discuss https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048095#M403340 <HTML><HEAD></HEAD><BODY><P>Just wondering, does it work when you have different security level on the 2 interfaces?</P><P>Try to configure security level of 45 on the "service" interface.</P></BODY></HTML> Tue, 16 Oct 2012 12:55:21 GMT https://community.cisco.com/t5/network-security/dmz-to-other-dmz-cannot-discuss/m-p/2048095#M403340 Jennifer Halim 2012-10-16T12:55:21Z