topic Re: cant ping dmz interface ? in Network Security

cant ping dmz interface ?

superlubis — Mon, 11 Mar 2019 23:29:59 GMT

i just wanna make it clear,

can i ping asa interface that not in the same zone, for example im in inside zone, i can ping asa inside interface, but i can i ping other asa interface(outside,dmz,etc) ?

just a newbie

cant ping dmz interface ?

nkarthikeyan — Thu, 12 Jul 2012 06:01:18 GMT

You cannot ping the other interface ip's of the firewall... that is a restricted by design.....

cant ping dmz interface ?

Jennifer Halim — Thu, 12 Jul 2012 06:01:24 GMT

No, you can't.

It is by design that you can't ping cross interfaces, ie: from inside host you can only ping the inside interface, and you can't ping dmz interface.

However, if you VPN in, you can ping 1 cross interface when you have the command: "management-access " configured.

cant ping dmz interface ?

nkarthikeyan — Thu, 12 Jul 2012 06:05:46 GMT

You cannot ping the distant interfaces of the firewalls from other zones.... Because the DMZ interface is not considered as the host in network... it is an firewall interface which is offering service for the dmz zone.....

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0

Re: cant ping dmz interface ?

gouravbathla — Thu, 12 Jul 2012 06:15:51 GMT

No you Can't Ping the other interface.

But If you are connected via VPN in that case by using management access on your firewall you can ping the interface.

Re: cant ping dmz interface ?

Dinkar Sharma — Thu, 12 Jul 2012 21:50:10 GMT

Hi,

Adding to what gaurav said, you can use "management-access dmz" command to manage the dmz interface via vpn. using this command you will be able to ping.

You can use this command only for 1 interface.

Regards,

Dinkar

Re: cant ping dmz interface ?

superlubis — Fri, 13 Jul 2012 13:34:40 GMT

And then my question came to,in my understanding in wccp router id is the highest ip address of interface. If wccp server in the diffrent zone as the router id then wccp must be have route to that interface. Whats the meaning "have route" ? For sure we cannot ping that highest ip if in diffrent zone.

Thx

Re: cant ping dmz interface ?

Luis Silva Benavides — Fri, 13 Jul 2012 16:35:28 GMT

Hi Ibrahim,

Yes the router ID of the ASA will be its highest IP address, but if you take a close look to the debugs and the packets that the ASA sends when it sees the WCCP server (Here I am, I see you); the IP address that the ASA uses to send the "I see you" message is the IP address of the closest interface to WCCP server. The highest IP adddress is only used to establish the GRE tunnel and perform the traffic redirection.

Luis

Re: cant ping dmz interface ?

superlubis — Sat, 14 Jul 2012 04:49:33 GMT

one question, which ip i should give NAT/ IP Public ?

Re: cant ping dmz interface ?

Julio Carvajal — Sat, 14 Jul 2012 05:42:52 GMT

Hello Ibrahim,

No need for nat as WCCP will work just for users behind the same ASA interface, so there is no need to use nat as the traffic will not go to a different zone or the ASA.

Regards,

Julio