topic Re: Ping through the Firewall in Network Security

Ping through the Firewall

beaujoire — Mon, 11 Mar 2019 19:02:21 GMT

Hi,

I've received my ASA5510 and i'm trying to allow Ping through the Firewall between DMZ-LAN and LAN-DMZ

I use:

access-list "ICMP_LAN" permit icmp,echo,echoreply any any

access-list "ICMP_DMZ" permit icmp,echo,echoreply any any

I applied the access-list in each interface :

access-group ICMP_LAN permit in interface LAN

access-group ICMP_DMZ permit in interface DMZ

But it doesnt work , Packet tracert report that the packet is dropped by the default ACL which Deny All Traffic.

Any Ideas? Thanks

Re: Ping through the Firewall

mirober2 — Fri, 29 Oct 2010 16:12:56 GMT

Hi Thomas,

What version of ASA code are you running? Is there any NAT that should apply to this flow?

Can you post a sanitized copy of the packet tracer output and any syslogs generated when you try to ping?

-Mike

Re: Ping through the Firewall

Jitendriya Athavale — Fri, 29 Oct 2010 16:15:05 GMT

try the following

1. allow inspect in the policy-map

2. check if you have any icmp LAN statement

you can check that in the show run or show run icmp or show run | in icmp

if you have any then remove it

Re: Ping through the Firewall

beaujoire — Wed, 10 Nov 2010 16:22:29 GMT

Hi,

Sorry to be late for my reply.

I use ASA 8.2 v and ASDM 6.2. I have no ICMP LAN statement.

I've joined logs from packet tracert.

Interface LAN : 172.16.1.254

PC LAN : 172.16.1.1/16

Interface DMZ : 10.1.1.1

Private Interface for DMZ server : 10.1.1.2

PC DMZ : 194.x.x.x/29 ( public IP)

Static NAT is enable to translate :

10.1.1.2 --> 194.x.x.x.

Ping from DMZ to LAN is the Problem.

Re: Ping through the Firewall

praprama — Wed, 10 Nov 2010 16:27:17 GMT

Hi Thomas,

Could you post a sanitized config here? We can get a better picture of where things are going wrong.

Regards,

Prapanch

Re: Ping through the Firewall

Kureli Sankar — Thu, 11 Nov 2010 00:11:11 GMT

I hope you are NOT trying to ping from 10.1.1.2 to 172.16.1.254 - This will not work and it is by design. You cannot ping the far side interface.

But, if you are pinging from 10.1.1.2 to 172.16.1.1

and if you have

static (LAN,DMZ) 172.16.1.0 172.16.1.0 net 255.255.255.0

with the icmp allow acl on the LAN and DMZ interfaces it should work.

Just for testing purpose throw the ACL to allow ip any any between these two test hosts 10.1.1.2 to 172.16.1.1.

enable logging

conf t

logging on

logging buffered debug

exit

sh logg | i 10.1.1.2

-KS

Re: Ping through the Firewall

beaujoire — Tue, 16 Nov 2010 16:02:57 GMT

ok I've added :

static (LAN,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.0.0

ping from 10.1.1.2 to 172.16.1.1 works on packet tracert but doesn't work with ping command.

ping from 172.16.1.1 to 10.1.1.2 doesn't work.

I joined my running config and packet tracert logs.I am a bit lost ; i begin with cisco firewall.

Thanks.

Re: Ping through the Firewall

apothula — Wed, 17 Nov 2010 08:52:11 GMT

Hi Tom,

Also add the following command,

static (LAN,DMZ) 10.0.0.0 10.0.0.0 255.0.0.0

Please let me know if that helps.

Cheers,

Nash.

Re: Ping through the Firewall

beaujoire — Wed, 17 Nov 2010 15:44:24 GMT

Hi Nash,

I add your command but same problem ..

When i ping 172.16.1.1 to 10.1.1.2 on Packet Tracert, the Packet is still drop at NAT step.

Re: Ping through the Firewall

praprama — Wed, 17 Nov 2010 16:05:41 GMT

Hi Thomas,

The issue is with these static commands:

static (DMZ,LAN) 194.206.235.65 10.1.1.2 netmask 255.255.255.255
static (DMZ,LAN) 194.206.235.66 10.1.1.3 netmask 255.255.255.255

So what this means is that when you want to access the DMZ servers 10.1.1.2 and 10.1.1.3 from the LAN, you will have to do it using the IP addresses 194.206.235.65 and 194.206.235.66 respectively.

Now it comes down to your requirement, Do you want to access the DMZ servers from the LAN using their private or public IPs? If it's going to be using the Public IPs, remove the below command:

static (LAN,DMZ) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

If you would like to do it using the private IPs, remove the below commands:

static (DMZ,LAN) 194.206.235.65 10.1.1.2 netmask 255.255.255.255
static (DMZ,LAN) 194.206.235.66 10.1.1.3 netmask 255.255.255.255

Please note that if you are accessing the servers using the public IPs, you will have to ping the IP addresses 194.206.235.65 and 194.206.235.66 respectively.

Let me know if this helps!!

Regards,

Prapanch

Re: Ping through the Firewall

beaujoire — Wed, 17 Nov 2010 17:20:43 GMT

Ok.I agree.I want to access the DMZ servers from the LAN using their public IPs.

It works now on packet Tracert.

But for exemple,when I use Ping command on a PC from LAN and I ping the 194.x.x.x. it doesn't work.

I'm connnected on the ASA interface directly for test. Is it a problem ?

Thanks.

Re: Ping through the Firewall

praprama — Thu, 18 Nov 2010 02:09:34 GMT

Hi,

if there is a windows or any other firewall on the DMZ servers, please disable and check if you are able to ping those. Also, please apply captures on the ASA to see how packets are flowing and if they are getting dropped:

https://supportforums.cisco.com/docs/DOC-1222

regards,

Prapanch

Re: Ping through the Firewall

beaujoire — Fri, 26 Nov 2010 15:10:48 GMT

ok. done. I Have a gateway problem.

I Continue my configuration and i have another question. ( sorry )

I want to configure NAT for the LAN network. A pc from the LAN must go on the internet with the IP WAN interface.

I configure this rule :

Global (WAN) 1 interface

NAT (LAN) 1 172.16.0.0 255.255.0.0

The problem is that when I want to access my DMZ public servers from the LAN, The rule above is applied on the DMZ interface too.

So Comunication between LAN-DMZ does not work anymore.

I just specified the WAN interface in the rule so i don't understand ..

should I use some exemptions ?

Thanks

Re: Ping through the Firewall

Kureli Sankar — Fri, 26 Nov 2010 19:56:31 GMT

Do you have this line in the config?

static (LAN,DMZ) 172.16.1.0 172.16.1.0 net 255.255.255.0

You need that for source address translation from the inside to dmz.

copy and paste the output of the following and tell us which network has trouble getting where?

sh run nat

sh run global

sh run static

-KS

Re: Ping through the Firewall

beaujoire — Tue, 30 Nov 2010 17:00:49 GMT

I want to access the DMZ servers from the LAN using their public IPs. (I follow comment from Prapanch Ramamoorthy)
So I removed this line :

static (LAN,DMZ) 172.16.1.0 172.16.1.0 net 255.255.255.0

output of the following command :

Show run nat
NAT (LAN) 0 access-list LAN_nat0_outbound
NAT (LAN) 1 172.16.0.0 255.255.0.0

show run global
global (WAN) 1 interface

show run static
static (DMZ,LAN) 194.x.x.x 10.1.1.2 netmask 255.255.255.255
static (DMZ,LAN) 194.x.x.y 10.1.1.3 netmask 255.255.255.255
static (DMZ,WAN) 194.x.x.x 10.1.1.2 netmask 255.255.255.255
static (DMZ,WAN) 194.x.x.y 10.1.1.3 netmask 255.255.255.255

Re: Ping through the Firewall

Kureli Sankar — Wed, 01 Dec 2010 03:20:46 GMT

So, does this work now?

static (LAN,DMZ) 172.16.1.0 172.16.1.0 net 255.255.255.0

and

NAT (LAN) 0 access-list LAN_nat0_outbound

The above two are the same.

-KS