Solved: ASA 5510 DMZ and Inside cannot talk to one another - Page 2

Adam Hudson · ‎07-05-2012

I have several machines out in my DMZ and cannot get a ping going between them and anything on the inside of my network. I've even tried setting my access list attached to my DMZ to ip any any with no luck. Attached is my (sanitized) config. Any help is appreciated, everything looks good to me, but obviously something is wrong.

Thanks in advance.

Adam Hudson · ‎07-05-2012

But I need the flexibility of letting certain ports and ip addresses in and out of the DMZ, how do I do that now?

Adam Hudson · ‎07-05-2012

I must be doing something wrong then. I put in the following commands trying to block pings from coming "in" to the DMZ interface:

access-list dmz_access_in extended deny icmp any any

access-group dmz_access_in in interface dmz

Pings and packet tracer simulation are still successful. What am I missing?

rizwanr74 · ‎07-05-2012

"access-list dmz_access_in extended deny icmp any any

access-group dmz_access_in in interface dmz"

The above lines will work, if you ping from a dmz host, it will deny the traffic. meaning traffic will entre into dmz interface, from dmz zone.

if you want to control what can access from inside interface, you would do that same from inside interface.

hope that answers your questions.

thanks

rizwanr74 · ‎07-05-2012

"But if that's right, how do I control what comes and goes from the dmz interface?"

More secure interface such as "inside" should be able to access dmz without any problem with the static that I showned you.

You can still add an ACL on the DMZ interface as shown below.

"But I need the flexibility of letting certain ports and ip addresses in and out of the DMZ, how do I do that now?

access-list dmz_incoming extended deny ip host 173.17.1.111 host 11.255.1.250

access-group dmz_incoming in interface dmz

Hope that helps.

thanks

Rizwan Rafeek

Message was edited by: Rizwan Mohamed

Adam Hudson · ‎07-05-2012

For some reason my later post is posting higher than yours on my machine. Please see my comment, which appears to me as the post above yours.

Adam Hudson · ‎07-05-2012

I see your response on my email, but it isn't posting on the acutal forums right now:

"access-list dmz_access_in extended deny icmp any any

access-group dmz_access_in in interface dmz"

The above lines will work, if you ping from a dmz host, it will deny the traffic. meaning traffic will entre into dmz interface, from dmz zone.

if you want to control what can access from inside interface, you would do that same from inside interface.

hope that answers your questions."

So that means the packet tracer results I saw were false, that ACL does dictate what goes "in" to the DMZ interface?

rizwanr74 · ‎07-05-2012

"So that means the packet tracer results I saw were false, that ACL does dictate what goes "in" to the DMZ interface?"

Answer is no, because you had a permit line.

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group dmz_access_in in interface dmz

access-list dmz_access_in extended permit ip any any

Additional Information:

Adam Hudson · ‎07-05-2012

Indeed I did. I pulled the dmz_access_in ACL, just put the icmp deny deny line in, and the packet tracer failed, excellent!

Thank you much.