Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1351
Views
0
Helpful
5
Replies

Access-List for with in DMZ communication

Go to solution
s-santhosh
Level 1
Level 1

‎10-03-2012 11:48 AM - edited ‎03-11-2019 05:03 PM

Hello, I tried to depict my problem in below diagram.

DMZ.jpg

I'm trying to allow communication between VLANs 333 and 444.

VLANs 333 and 444 Gateways are configured in Firewall using virtual interfaces.

Applied the access-list at IP level from source VLAN 333 host to VLAN 444 host on access-group of G0/2.333 interface

I could not ping to VLAN 444 host.

configured same same-security-traffic permit inter-interface but no luck.

What Im missing here?

Thanks in Advance!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎10-03-2012 11:54 AM

"same-security-traffic permit inter-interface" is only needed if both interfaces have the same security-level. But have you enables ICMP-inspection?

policy-map global_policy

  class inspection_default

    inspect icmp

And your switch shouldn't have an IP in the VLN444 if that traffic has to be processed by the firewall.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful

Go to solution
lcambron
Level 3
Level 3

‎10-03-2012 12:15 PM

If the inspect icmp doesn't fix it, try to run a packet tracer and take captures:

packet in interface_name icmp source_IP 8 0 destination_IP

capture test interface interface_name match icmp host source_IP host destination_IP

show cap test

Let us know how it goes.

Felipe.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Karsten Iwen
VIP
VIP

‎10-03-2012 11:54 AM

"same-security-traffic permit inter-interface" is only needed if both interfaces have the same security-level. But have you enables ICMP-inspection?

policy-map global_policy

  class inspection_default

    inspect icmp

And your switch shouldn't have an IP in the VLN444 if that traffic has to be processed by the firewall.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
s-santhosh
Level 1
Level 1
In response to Karsten Iwen

‎10-03-2012 12:07 PM

Thanks Karsten,

Switch IP Address is in use for ssh, but this is not the correct way of doing, but some how this is in place already.

I will try enabling ICM inspection. I have not tried it out.

0 Helpful

Go to solution
s-santhosh
Level 1
Level 1
In response to Karsten Iwen

‎10-06-2012 02:12 AM

Thanks Karsten,

Inspect ICMP worked.

0 Helpful

Go to solution
lcambron
Level 3
Level 3

‎10-03-2012 12:15 PM

If the inspect icmp doesn't fix it, try to run a packet tracer and take captures:

packet in interface_name icmp source_IP 8 0 destination_IP

capture test interface interface_name match icmp host source_IP host destination_IP

show cap test

Let us know how it goes.

Felipe.

0 Helpful

Go to solution
s-santhosh
Level 1
Level 1
In response to lcambron

‎10-06-2012 02:11 AM

Thanks Icambron for your reply.

Based on the packet tracer, i have re-created a ACL and it is now working,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card