https://community.cisco.com/t5/network-security/communication-between-two-dmz-segments/m-p/818969#M969838 <P>Hi friends,</P><P></P><P>I have a firewall with inside, outside + 2 DMZ's.</P><P></P><P>I am able to talk to the DMZ's from inside and outside interfaces but inter-MZ communication or communication between two DMZ's is not working.</P><P></P><P>I have all the static translations and routing in place but still it doesn't work. </P><P></P><P>I have also enabled same security traffic permit inter-interface and intra-interface. Is there any inherent limitation in ASA 5540 for this?</P><P></P><P>Thanks a lot</P><P>Gautam</P><P></P><P></P> Mon, 11 Mar 2019 11:08:22 GMT gautamzone 2019-03-11T11:08:22Z https://community.cisco.com/t5/network-security/communication-between-two-dmz-segments/m-p/818969#M969838 <P>Hi friends,</P><P></P><P>I have a firewall with inside, outside + 2 DMZ's.</P><P></P><P>I am able to talk to the DMZ's from inside and outside interfaces but inter-MZ communication or communication between two DMZ's is not working.</P><P></P><P>I have all the static translations and routing in place but still it doesn't work. </P><P></P><P>I have also enabled same security traffic permit inter-interface and intra-interface. Is there any inherent limitation in ASA 5540 for this?</P><P></P><P>Thanks a lot</P><P>Gautam</P><P></P><P></P> Mon, 11 Mar 2019 11:08:22 GMT https://community.cisco.com/t5/network-security/communication-between-two-dmz-segments/m-p/818969#M969838 gautamzone 2019-03-11T11:08:22Z https://community.cisco.com/t5/network-security/communication-between-two-dmz-segments/m-p/818970#M969839 <HTML><HEAD></HEAD><BODY><P>Just wanted to add that Syslog reports the following message for communication between two DMZ's:</P><P></P><P>%ASA-6-110001: No route to 10.0.3.10 from 10.1.20.2</P><P></P><P>Thanks a lot</P><P></P></BODY></HTML> Fri, 07 Sep 2007 21:21:00 GMT https://community.cisco.com/t5/network-security/communication-between-two-dmz-segments/m-p/818970#M969839 gautamzone 2007-09-07T21:21:00Z https://community.cisco.com/t5/network-security/communication-between-two-dmz-segments/m-p/818971#M969840 <HTML><HEAD></HEAD><BODY><P>Could you please post the relevant parts of the config?</P></BODY></HTML> Fri, 07 Sep 2007 21:38:58 GMT https://community.cisco.com/t5/network-security/communication-between-two-dmz-segments/m-p/818971#M969840 acomiskey 2007-09-07T21:38:58Z https://community.cisco.com/t5/network-security/communication-between-two-dmz-segments/m-p/818972#M969841 <HTML><HEAD></HEAD><BODY><P>Sure, the configs are as follows:</P><P></P><P>no nat-control</P><P>interface GigabitEthernet1/0</P><P> nameif SA</P><P> security-level 30</P><P> ip address 10.0.3.1 255.255.255.0</P><P></P><P>interface GigabitEthernet1/2</P><P> nameif WAN</P><P> security-level 100</P><P> ip address 10.0.4.1 255.255.255.0</P><P></P><P>static (WAN,SA) 10.1.20.0 10.1.20.0 netmask 255.255.255.0</P><P></P><P>access-list SA extended permit ip any any</P><P>access-list WAN extended permit ip any any</P><P>access-list WAN extended permit icmp any any</P><P></P><P>access-group SA in interface SA</P><P>access-group WAN in interface WAN</P><P></P><P>Output of show route WAN on ASA</P><P>--------------------------------</P><P>O IA 10.1.20.0 255.255.255.0 [110/11123] via 10.0.4.3, 0:47:31, WAN</P><P></P><P>Output of show route SA on ASA</P><P>-------------------------------</P><P>C 10.0.3.0 255.255.255.0 is directly connected, SA</P><P></P><P>Output of show run router</P><P>-------------------------</P><P></P><P>router ospf 100</P><P> network 10.0.3.0 255.255.255.0 area 20</P><P> network 10.0.4.0 255.255.255.0 area 20</P><P> network 10.0.5.0 255.255.255.0 area 20</P><P> </P><P>The routers 10.0.4.3 and 10.1.20.1 have OSPF advertised routes for 10.0.3.0.</P><P></P><P>Note: An interesting thing is that when i turn on capture for packets from 10.1.20.2 towards 10.0.3.10, i am seeing echo requests being sent thru but no echo replies from 10.0.3.10!!!. Also, if i ping the other way (10.0.3.10--&gt;10.1.20.2), i am seeing echo requests being sent and echo replies being received too but firewall seems to drop them!!!</P><P></P><P></P></BODY></HTML> Fri, 07 Sep 2007 22:21:21 GMT https://community.cisco.com/t5/network-security/communication-between-two-dmz-segments/m-p/818972#M969841 gautamzone 2007-09-07T22:21:21Z https://community.cisco.com/t5/network-security/communication-between-two-dmz-segments/m-p/818973#M969842 <HTML><HEAD></HEAD><BODY><P>Do you use "nat-control" or "no nat-control"?</P></BODY></HTML> Sat, 08 Sep 2007 07:18:55 GMT https://community.cisco.com/t5/network-security/communication-between-two-dmz-segments/m-p/818973#M969842 a.alekseev 2007-09-08T07:18:55Z https://community.cisco.com/t5/network-security/communication-between-two-dmz-segments/m-p/818974#M969843 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I use no nat-control now.</P><P></P><P>Thanks </P></BODY></HTML> Sat, 08 Sep 2007 18:34:26 GMT https://community.cisco.com/t5/network-security/communication-between-two-dmz-segments/m-p/818974#M969843 gautamzone 2007-09-08T18:34:26Z https://community.cisco.com/t5/network-security/communication-between-two-dmz-segments/m-p/818975#M969844 <HTML><HEAD></HEAD><BODY><P>So you needn't have static.</P><P>But another static entry in you config can break communication between two interfaces with the same security level. </P></BODY></HTML> Sun, 09 Sep 2007 11:29:19 GMT https://community.cisco.com/t5/network-security/communication-between-two-dmz-segments/m-p/818975#M969844 a.alekseev 2007-09-09T11:29:19Z