cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1424
Views
2
Helpful
9
Replies
Beginner

cant ping dmz interface ?

i just wanna make it clear,

can i ping asa interface that not in the same zone, for example im in inside zone, i can ping  asa inside interface, but i can i ping other asa interface(outside,dmz,etc) ?

just a newbie

Everyone's tags (5)
9 REPLIES 9
Rising star

cant ping dmz interface ?

You cannot ping the other interface ip's of the firewall...  that is a restricted by design.....

Rising star

cant ping dmz interface ?

You cannot ping the distant interfaces of the firewalls from other zones.... Because the DMZ interface is not considered as the host in network... it is an firewall interface which is offering service for the dmz zone.....

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0

Cisco Employee

cant ping dmz interface ?

No, you can't.

It is by design that you can't ping cross interfaces, ie: from inside host you can only ping the inside interface, and you can't ping dmz interface.

However, if you VPN in, you can ping 1 cross interface when you have the command: "management-access " configured.

Beginner

Re: cant ping dmz interface ?

No you Can't Ping the other interface.

But If you are connected via VPN in that case by using management access on your firewall you can ping the interface.

Highlighted
Cisco Employee

Re: cant ping dmz interface ?

Hi,

Adding to what gaurav said, you can use "management-access dmz"  command to manage the dmz interface via vpn. using this command you will be able to ping.

You can use this command only for 1 interface.

Regards,

Dinkar

Beginner

Re: cant ping dmz interface ?

And then my question came to,in my understanding in wccp router id is the highest ip address of interface. If wccp server in the diffrent zone as the router id then wccp must be have route to that interface. Whats the meaning "have route" ? For sure we cannot ping that highest ip if in diffrent zone.

Thx

Cisco Employee

Re: cant ping dmz interface ?

Hi Ibrahim,

Yes the router ID of the ASA will be its highest IP address, but if you take a close look to the debugs and the packets that the ASA sends when it sees the WCCP server (Here I am, I see you); the IP address that the ASA uses to send the "I see you" message is the IP address of the closest interface to WCCP server. The highest IP adddress is only used to establish the GRE tunnel and perform the traffic redirection.

Luis

Luis Silva
Beginner

Re: cant ping dmz interface ?

one question, which ip i should give NAT/ IP Public ?

Re: cant ping dmz interface ?

Hello Ibrahim,

No need for nat as WCCP will work just for users behind the same ASA interface, so there is no need to use nat as the traffic will not go to a different zone or the ASA.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here