https://community.cisco.com/t5/network-security/pinging-dmz-server-from-outside-without-applying-access-list-to/m-p/1259746#M858577 <HTML><HEAD></HEAD><BODY><P>Answering your question "1.Im able to ping 192.168.100.215 server in DMZ from outside source ip 192.168.255.1 how?"...because of following rule:</P><P>!</P><P>access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0</P><P>!</P><P>When you allow ip access... you are allowing mostly anything from Internet. Make note that ICMP &amp; IGMP operate on top of IP but do not transport data like UDP or TCP.... Also, not taking too much time...the following is wrong as well:</P><P>! </P><P>access-list DMZ_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0</P><P>!</P><P>Why? Because if your DMZ is only 192.168.100.x...then you should always see 192.168.100.x after your permit + protocol and not 192.168.255.x</P><P>!</P><P>If 192.168.255.x is coming from outside &amp; you wanted to give 100% access to your DMZ (which no one does), the correct statement would be (as you have): </P><P>!</P><P>access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.0.0 255.255.255.0</P><P>!</P><P>Via above command, you are giving Internet users on 192.168.255.x segment total access to any 192.168.0.0 no matter what interface (inside or DMZ).</P><P>!</P><P>Note: Make sure you have the following as well</P><P>!</P><P>Access-list inside_access_all permit ip any any</P><P>!</P><P>access-group inside_access_all in interface inside</P><P>!</P><P>access-list DMZ_access_all permit icmp any any</P><P>!</P><P>also add your other dmz servers accessing inside or outside after this line</P><P>!</P><P>access-group DMZ_access_all in interface DMZ</P><P>!</P><P>Note: why am I, calling this DMZ_access_all and not DMZ_access_inâ&#128;¦because sooner or later, your DMZ servers need to access http, ftp, https outside and you can only have 2 access group only depending on direction of trafficâ&#128;¦ Most FW admin config call for one access group per interface. Also, more recent codes require you to have a access group on inside interface... however its a godd idea to have this, in case later you have an inside host attacking outside, you can block that inside host by placing an access list on top of permit ip an any... I hope this helps and good luck... Matt</P><P></P></BODY></HTML> Sun, 19 Jul 2009 15:38:18 GMT mattmatin007 2009-07-19T15:38:18Z https://community.cisco.com/t5/network-security/pinging-dmz-server-from-outside-without-applying-access-list-to/m-p/1259743#M858571 <P>************************</P><P>Kindly look on the configuration and guide me please.</P><P>************************</P><P></P><P>interface GigabitEthernet0/0</P><P> nameif outside</P><P> security-level 0</P><P> ip address 10.10.10.2 255.255.255.252 </P><P>!</P><P>interface GigabitEthernet0/1</P><P> nameif Inside</P><P> security-level 100</P><P> ip address 192.168.0.1 255.255.255.0 </P><P>!</P><P>interface GigabitEthernet0/2</P><P> nameif DMZ</P><P> security-level 50</P><P> ip address 192.168.100.1 255.255.255.0 </P><P>! </P><P>interface GigabitEthernet0/3</P><P> description LAN Failover Interface</P><P>!</P><P>interface Management0/0</P><P> nameif management</P><P> security-level 100</P><P> ip address 192.168.1.1 255.255.255.0 </P><P> management-only</P><P>!</P><P>boot system disk0:/asa804-k8.bin</P><P>ftp mode passive</P><P>dns server-group DefaultDNS</P><P> domain-name default.domain.invalid</P><P>access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.210 eq ftp </P><P>access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.201 eq www </P><P>access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.204 eq www </P><P>access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.0.0 255.255.255.0 </P><P>access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.0.0 255.255.255.0 </P><P>access-list outside_access_in extended permit tcp host 192.168.22.38 host 192.168.0.201 eq 8080 </P><P>access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.201 eq 7777 </P><P>access-list outside_access_in extended deny tcp host 192.168.22.38 host 192.168.0.201 eq 7777 </P><P>access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.201 eq 8080 </P><P>access-list outside_access_in extended permit icmp 192.168.22.0 255.255.255.0 192.168.0.0 255.255.255.0 </P><P>access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.204 eq 8080 </P><P>access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.204 eq 7777 </P><P>access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0 </P><P>access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.100.0 255.255.255.0 </P><P>access-list nonat extended permit ip 192.168.0.0 255.255.255.0 any </P><P>access-list DMZ_access_in extended permit ip host 192.168.100.0 192.168.0.0 255.255.255.0 </P><P>access-list DMZ_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0 </P><P>access-list nonatDMZ extended permit ip 192.168.100.0 255.255.255.0 any </P><P>access-list traffic_for_ips extended permit ip any any </P><P>pager lines 24</P><P>logging asdm informational</P><P>mtu outside 1500</P><P>mtu Inside 1500</P><P>mtu DMZ 1500 </P><P>mtu management 1500</P><P>ip verify reverse-path interface outside</P><P>ip verify reverse-path interface Inside</P><P>failover </P><P>failover lan unit primary</P><P>failover lan interface failovetr-int GigabitEthernet0/3</P><P>failover replication http</P><P>failover interface ip failovetr-int 10.250.250.1 255.255.255.252 standby 10.250.250.2</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image disk0:/asdm-61551.bin</P><P>asdm history enable</P><P>arp timeout 14400</P><P>nat (Inside) 0 access-list nonat</P><P>nat (DMZ) 0 access-list nonatDMZ</P><P>static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 </P><P>access-group outside_access_in in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 10.10.10.1 1</P> Mon, 11 Mar 2019 15:56:40 GMT https://community.cisco.com/t5/network-security/pinging-dmz-server-from-outside-without-applying-access-list-to/m-p/1259743#M858571 aamirkiani 2019-03-11T15:56:40Z https://community.cisco.com/t5/network-security/pinging-dmz-server-from-outside-without-applying-access-list-to/m-p/1259744#M858574 <HTML><HEAD></HEAD><BODY><P>Pls. provide the output of "sh run policy-map" make sure there inspect icmp is enabled.</P><P></P><P>example:</P><P></P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect ftp</P><P> .</P><P> .</P><P> .</P><P> inspect icmp</P><P></P><P>service-policy global_policy global</P><P></P><P></P><P></P></BODY></HTML> Sun, 19 Jul 2009 12:07:06 GMT https://community.cisco.com/t5/network-security/pinging-dmz-server-from-outside-without-applying-access-list-to/m-p/1259744#M858574 Kureli Sankar 2009-07-19T12:07:06Z https://community.cisco.com/t5/network-security/pinging-dmz-server-from-outside-without-applying-access-list-to/m-p/1259745#M858575 <HTML><HEAD></HEAD><BODY><P>**********************</P><P>Kindly look at my configuration and guide me how i can solve my problem,</P><P>1.Im able to ping 192.168.100.215 server in DMZ from outside source ip 192.168.255.1 how? it is possible without apply access list to DMZ interface.2. when im applying access list to DMZ inerface then from outside im not able to ping DMZ server 192.168.100.215.why?</P><P>3. I want to access to DMZ network from Inside network. if any thing wrong pleae guide me.my complete ASA configuration as following.</P><P>******************************************* ASA Version 8.0(4) </P><P>interface GigabitEthernet0/0</P><P> nameif outside</P><P> security-level 0</P><P> ip address 10.10.10.2 255.255.255.252 </P><P>interface GigabitEthernet0/1</P><P> nameif Inside</P><P> security-level 100</P><P> ip address 192.168.0.1 255.255.255.0 </P><P>interface GigabitEthernet0/2</P><P> nameif DMZ</P><P> security-level 50</P><P> ip address 192.168.100.1 255.255.255.0 </P><P>interface GigabitEthernet0/3</P><P> description LAN Failover Interface</P><P>interface Management0/0</P><P> nameif management</P><P> security-level 100</P><P> ip address 192.168.1.1 255.255.255.0 </P><P> management-only</P><P>access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.210 eq ftp </P><P>access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.201 eq www </P><P>access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.204 eq www </P><P>access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.0.0 255.255.255.0 </P><P>access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.0.0 255.255.255.0 </P><P>access-list outside_access_in extended permit tcp host 192.168.22.38 host 192.168.0.201 eq 8080 </P><P>access-list outside_access_in extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.0.201 eq 7777 </P><P>access-list outside_access_in extended deny tcp host 192.168.22.38 host 192.168.0.201 eq 7777 </P><P>access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.201 eq 8080 </P><P>access-list outside_access_in extended permit icmp 192.168.22.0 255.255.255.0 192.168.0.0 255.255.255.0 </P><P>access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.204 eq 8080 </P><P>access-list outside_access_in extended permit tcp host 192.168.22.100 host 192.168.0.204 eq 7777 </P><P>access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0 </P><P>access-list outside_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.100.0 255.255.255.0 </P><P>access-list nonat extended permit ip 192.168.0.0 255.255.255.0 any </P><P>access-list DMZ_access_in extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0 </P><P>access-list DMZ_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0 </P><P>access-list DMZ_access_in extended permit icmp 10.10.10.0 255.255.255.252 192.168.100.0 255.255.255.0 </P><P>access-list nonatDMZ extended permit ip 192.168.100.0 255.255.255.0 any </P><P>access-list traffic_for_ips extended permit ip any any </P><P>nat (Inside) 0 access-list nonat</P><P>nat (DMZ) 0 access-list nonatDMZ</P><P>static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 </P><P>access-group outside_access_in in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 10.10.10.1 1</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>class-map ips_class_map</P><P> match access-list traffic_for_ips</P><P>policy-map type inspect dns migrated_dns_map_2</P><P> parameters</P><P> message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect dns migrated_dns_map_2 </P><P> inspect ftp </P><P> inspect h323 h225 </P><P> inspect h323 ras </P><P> inspect rsh </P><P> inspect rtsp </P><P> inspect esmtp </P><P> inspect sqlnet </P><P> inspect skinny </P><P> inspect sunrpc </P><P> inspect xdmcp </P><P> inspect sip </P><P> inspect netbios </P><P> inspect tftp </P><P> inspect icmp </P><P> class ips_class_map</P><P> ips inline fail-open</P><P>: end</P><P>ASA# </P><P></P></BODY></HTML> Sun, 19 Jul 2009 12:26:20 GMT https://community.cisco.com/t5/network-security/pinging-dmz-server-from-outside-without-applying-access-list-to/m-p/1259745#M858575 aamirkiani 2009-07-19T12:26:20Z https://community.cisco.com/t5/network-security/pinging-dmz-server-from-outside-without-applying-access-list-to/m-p/1259746#M858577 <HTML><HEAD></HEAD><BODY><P>Answering your question "1.Im able to ping 192.168.100.215 server in DMZ from outside source ip 192.168.255.1 how?"...because of following rule:</P><P>!</P><P>access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0</P><P>!</P><P>When you allow ip access... you are allowing mostly anything from Internet. Make note that ICMP &amp; IGMP operate on top of IP but do not transport data like UDP or TCP.... Also, not taking too much time...the following is wrong as well:</P><P>! </P><P>access-list DMZ_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.100.0 255.255.255.0</P><P>!</P><P>Why? Because if your DMZ is only 192.168.100.x...then you should always see 192.168.100.x after your permit + protocol and not 192.168.255.x</P><P>!</P><P>If 192.168.255.x is coming from outside &amp; you wanted to give 100% access to your DMZ (which no one does), the correct statement would be (as you have): </P><P>!</P><P>access-list outside_access_in extended permit ip 192.168.255.0 255.255.255.0 192.168.0.0 255.255.255.0</P><P>!</P><P>Via above command, you are giving Internet users on 192.168.255.x segment total access to any 192.168.0.0 no matter what interface (inside or DMZ).</P><P>!</P><P>Note: Make sure you have the following as well</P><P>!</P><P>Access-list inside_access_all permit ip any any</P><P>!</P><P>access-group inside_access_all in interface inside</P><P>!</P><P>access-list DMZ_access_all permit icmp any any</P><P>!</P><P>also add your other dmz servers accessing inside or outside after this line</P><P>!</P><P>access-group DMZ_access_all in interface DMZ</P><P>!</P><P>Note: why am I, calling this DMZ_access_all and not DMZ_access_inâ&#128;¦because sooner or later, your DMZ servers need to access http, ftp, https outside and you can only have 2 access group only depending on direction of trafficâ&#128;¦ Most FW admin config call for one access group per interface. Also, more recent codes require you to have a access group on inside interface... however its a godd idea to have this, in case later you have an inside host attacking outside, you can block that inside host by placing an access list on top of permit ip an any... I hope this helps and good luck... Matt</P><P></P></BODY></HTML> Sun, 19 Jul 2009 15:38:18 GMT https://community.cisco.com/t5/network-security/pinging-dmz-server-from-outside-without-applying-access-list-to/m-p/1259746#M858577 mattmatin007 2009-07-19T15:38:18Z