Solved: No you do not need another

drlbaluyut · ‎02-10-2016

Hi

Help please. DMZ host can ping inside server but the inside server cannot ping the DMZ host.

Could this be a firewall issue?or routing issue?

DMZ host 172.29.29.2 255.255.255.0

Inside server 10.193.1.6 255.255.0.0

After i added the line below, the DMZ host can ping 10.193.1.6 but not vice versa.

ip access-list extended SMMPH_ACL
deny ip host 10.193.1.6 172.29.29.0 0.0.0.255

------------------------------------

Running config of layer3 switch.

SMMNLCS001#sh run
Building configuration...

Current configuration : 19320 bytes
!
! Last configuration change at 12:16:10 PST Thu Feb 11 2016 by danb
! NVRAM config last updated at 20:52:16 PST Sat May 21 2011 by danb
!
version 15.0
no service pad
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
no service password-encryption
!
hostname SMMNLCS001
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 7.jZ4Dex7mHRhj/CulqZZbF6pyUlk6mDe08.brH568Y
!
username trends privilege 15 secret 4 .cKm1oYIOn2SBy78jTl2qhWyXNWIGDQWODGDZNpxOpE
username sumitomoph privilege 15 secret 4 A5GQfPGE/7y3mkzO33UWd/J.LiN2Zs3YuLghBtsPF7g
username ryant privilege 15 secret 4 GY6.GikMCy.B0u9wqcZ/SmhMbY/9gAluniDOyIiuAzo
username danb privilege 15 secret 4 oEYGAEA45KcUlPEbW1d3tGg32upBNIQuqAtdB2qyk9.
no aaa new-model
clock timezone PST 8 0
system mtu routing 1500
ip routing
!
!
!
no ip domain-lookup
vtp mode transparent
!
!
crypto pki trustpoint TP-self-signed-1701104512
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1701104512
revocation-check none
rsakeypair TP-self-signed-1701104512
!
!
crypto pki certificate chain TP-self-signed-1701104512
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31373031 31303435 3132301E 170D3131 30333330 30313239
32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37303131
30343531 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81008E7B B1C88A43 D346C6F0 B415D6D0 39FA6E43 97B62494 4EA501CC CF14AD6B
16803A29 D10DAE4E C595786C B3BBB3A2 C6050A02 BDD413F9 0B7A3745 BD875088
159A7CC9 FAEAE347 5F9BE4E5 932D23E8 08FF7C27 418CF04A E1847BDE 00652789
793284D4 413473EF 1CCDA7DE 7027DA21 B9B02C58 37A8DB47 D2A0A1D7 A4BFD2D4
DBDF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14B9262F E47A74C7 AE0CA0B1 52B85F8D 10E5F7CB 9B301D06
03551D0E 04160414 B9262FE4 7A74C7AE 0CA0B152 B85F8D10 E5F7CB9B 300D0609
2A864886 F70D0101 05050003 8181005A 1809B13E DA1E0034 5789218B 29387654
D4AD144E 4CACA917 11C13BA6 EC9A69D0 71C84FF6 3AD92E2F D248C870 55B10986
32CD8C4A AEB85750 1D9DEC03 6E8EAB29 F9403E9B 58840DD7 811159D5 97330B5C
2A16A073 F6876A61 77241AFA 455A45BF 792637B6 A1DC8ADC 035A621B A51651CB
50DC4FE5 2122AEF4 89C49FFB 97776F
        quit
archive
log config
logging enable
logging size 1000
notify syslog contenttype plaintext
hidekeys
path flash:archive-config
write-memory
time-period 1440
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 158 priority 0
!
!
!
!
!
!
!
!
!
vlan internal allocation policy ascending
!
vlan 29,158,160-161,172,190,193,203
!
!
!
!
!
!
!
!
!
!
!
!
interface Port-channel1
description *** Link to SMMKTHB001 Gi0/1, Gi0/2 ***
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0
no ip address
no ip route-cache
!
interface GigabitEthernet0/1
description *** Link to SMMKTHB001 Gi0/1 ***
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode desirable
!
interface GigabitEthernet0/2
description *** Link to SMMKTHB001 Gi0/2 ***
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode desirable
!
interface GigabitEthernet0/3
switchport access vlan 160
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 160
switchport mode access
!
interface GigabitEthernet0/5
switchport access vlan 160
switchport mode access
!
interface GigabitEthernet0/6
switchport access vlan 160
switchport mode access
!
interface GigabitEthernet0/7
switchport access vlan 160
switchport mode access
!
interface GigabitEthernet0/8
switchport access vlan 160
switchport mode access
!
interface GigabitEthernet0/9
switchport access vlan 29
switchport mode access
!
interface GigabitEthernet0/10
switchport access vlan 161
switchport mode access
!
interface GigabitEthernet0/11
switchport access vlan 29
switchport mode access
!
interface GigabitEthernet0/12
description ## connection to SMMNLWC251 WLC ##
switchport trunk encapsulation dot1q
switchport trunk native vlan 193
switchport mode trunk
!
interface GigabitEthernet0/13
description <<<to SMMPH Server Farm L2SW>>
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/14
description <<<to SMMPH Server Farm L2SW>>
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/15
switchport access vlan 193
switchport mode access
!
interface GigabitEthernet0/16
switchport access vlan 172
switchport mode access
ip access-group 172 in
!
interface GigabitEthernet0/17
switchport access vlan 203
switchport mode access
!
interface GigabitEthernet0/18
description ## connection to 24th floor switch ##
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 158,161,193
switchport mode trunk
!
interface GigabitEthernet0/19
description ## connection to SMMNLHB002 25F switch ##
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 158,161,193
switchport mode trunk
!
interface GigabitEthernet0/20
description ## connection to SMMNLHB001 25F switch ##
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 158,161,193
switchport mode trunk
!
interface GigabitEthernet0/21
switchport access vlan 158
switchport trunk encapsulation dot1q
switchport mode access
!
interface GigabitEthernet0/22
switchport access vlan 158
switchport mode access
!
interface GigabitEthernet0/23
switchport access vlan 158
switchport mode access
!
interface GigabitEthernet0/24
switchport access vlan 158
switchport mode access
speed 100
duplex full
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface GigabitEthernet1/3
!
interface GigabitEthernet1/4
!
interface TenGigabitEthernet1/1
!
interface TenGigabitEthernet1/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan158
description CBNC_VLAN
ip address 10.158.254.250 255.255.0.0 secondary
ip address 10.158.255.250 255.255.0.0
standby 1 ip 10.158.1.1
standby 1 ip 10.158.2.100 secondary
standby 1 priority 105
standby 1 preempt
ip policy route-map CBNC_RMAP
!
interface Vlan160
description RTR
ip address 10.160.255.250 255.255.0.0
standby 2 ip 10.160.255.254
standby 2 preempt
!
interface Vlan161
description THPAL_VLAN
ip address 10.161.255.250 255.255.0.0
standby 3 ip 10.161.1.1
standby 3 preempt
ip policy route-map THPAL_RMAP
!
interface Vlan172
description <<DMZ-2 Segment>>
ip address 172.22.255.250 255.255.0.0
standby 4 ip 172.22.255.254
standby 4 preempt
!
interface Vlan190
ip address 10.190.255.250 255.255.0.0
standby 5 ip 10.190.255.254
standby 5 preempt
!
interface Vlan193
ip address 10.193.255.250 255.255.0.0
standby 6 ip 10.193.255.254
standby 6 preempt
ip policy route-map SMMPH_RMAP
!
interface Vlan203
description <<<SMMPH Backup Server NW>>>
ip address 10.203.255.250 255.255.0.0
ip access-group 103 out
standby 7 ip 10.203.255.254
standby 7 preempt
!
!
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.158.2.6
ip route 10.20.1.0 255.255.255.0 10.160.1.1
ip route 10.30.1.0 255.255.255.0 10.160.1.1
ip route 10.40.1.0 255.255.255.0 10.160.1.1
ip route 10.50.1.0 255.255.255.0 10.160.1.1
ip route 10.60.1.0 255.255.255.0 10.160.1.1
ip route 10.70.1.0 255.255.255.0 10.160.1.1
ip route 10.80.1.0 255.255.255.0 10.160.1.1
ip route 10.90.1.0 255.255.255.0 10.160.1.1
ip route 10.159.0.0 255.255.0.0 10.160.1.1
ip route 10.171.0.0 255.255.0.0 10.160.1.5
ip route 10.172.0.0 255.255.0.0 10.160.1.5
ip route 10.172.12.111 255.255.255.255 10.160.1.1
ip route 10.173.0.0 255.255.0.0 10.160.1.5
ip route 10.174.0.0 255.255.0.0 10.160.1.5
ip route 10.175.0.0 255.255.0.0 10.160.1.5
ip route 10.176.0.0 255.255.0.0 10.160.1.5
ip route 10.177.0.0 255.255.0.0 10.160.1.5
ip route 10.178.0.0 255.255.0.0 10.160.1.1
ip route 10.179.0.0 255.255.0.0 10.160.1.5
ip route 10.180.0.0 255.255.0.0 10.160.1.5
ip route 10.210.0.0 255.255.0.0 10.160.1.5
ip route 116.50.215.136 255.255.255.248 10.160.1.3
ip route 122.216.84.178 255.255.255.255 10.160.1.3
ip route 172.16.0.0 255.255.0.0 10.160.1.3
ip route 172.21.0.0 255.255.0.0 172.22.1.1
ip route 172.23.0.0 255.255.0.0 172.22.1.1
ip route 172.30.0.0 255.255.0.0 10.158.2.6
ip route 192.168.1.0 255.255.255.0 10.160.1.3
ip route 192.168.10.0 255.255.255.252 10.160.1.1
!
ip access-list extended CBNC_ACL
deny   ip 10.159.0.0 0.0.255.255 172.30.0.0 0.0.255.255
deny   ip 10.158.0.0 0.0.255.255 10.158.0.0 0.0.255.255
deny   ip 10.158.0.0 0.0.255.255 10.159.0.0 0.0.255.255
deny   ip 10.158.0.0 0.0.255.255 10.0.0.0 0.255.255.255
deny   ip 10.158.0.0 0.0.255.255 10.210.0.0 0.0.255.255
deny   ip 10.158.0.0 0.0.255.255 host 10.161.1.32
deny   ip 10.158.0.0 0.0.255.255 10.193.0.0 0.0.255.255
deny   ip 10.158.3.0 0.0.0.255 host 10.193.1.61
deny   ip 10.30.1.0 0.0.0.255 host 10.193.1.1
deny   ip 10.30.1.0 0.0.0.255 host 10.193.1.6
deny   ip 10.30.1.0 0.0.0.255 host 10.193.1.61
deny   ip 10.30.1.0 0.0.0.255 host 10.193.1.62
deny   ip 10.30.1.0 0.0.0.255 host 10.193.1.21
deny   ip 10.30.1.0 0.0.0.255 host 10.193.1.26
deny   ip 10.40.1.0 0.0.0.255 host 10.193.1.1
deny   ip 10.40.1.0 0.0.0.255 host 10.193.1.6
deny   ip 10.158.10.0 0.0.0.255 host 10.193.1.21
deny   ip 10.40.1.0 0.0.0.255 host 10.193.1.61
deny   ip 10.40.1.0 0.0.0.255 host 10.193.1.62
deny   ip 10.40.1.0 0.0.0.255 host 10.193.1.21
deny   ip 10.40.1.0 0.0.0.255 host 10.193.1.26
deny   ip 10.50.1.0 0.0.0.255 host 10.193.1.1
deny   ip 10.50.1.0 0.0.0.255 host 10.193.1.6
deny   ip 10.50.1.0 0.0.0.255 host 10.193.1.61
deny   ip 10.50.1.0 0.0.0.255 host 10.193.1.62
deny   ip 10.60.1.0 0.0.0.255 host 10.193.1.1
deny   ip 10.60.1.0 0.0.0.255 host 10.193.1.6
deny   ip 10.60.1.0 0.0.0.255 host 10.193.1.21
deny   ip 10.60.1.0 0.0.0.255 host 10.193.1.26
deny   ip 10.60.1.0 0.0.0.255 host 10.193.1.61
deny   ip 10.50.1.0 0.0.0.255 host 10.193.1.21
deny   ip 10.60.1.0 0.0.0.255 host 10.193.1.62
deny   ip host 10.158.2.50 host 10.193.1.65
deny   ip 10.50.1.0 0.0.0.255 host 10.193.1.26
deny   ip host 10.158.2.31 10.193.1.0 0.0.0.255
deny   ip host 10.158.2.50 10.161.2.0 0.0.0.255
deny   ip host 10.158.2.50 host 10.193.1.1
deny   ip host 10.158.2.50 host 10.193.1.6
deny   ip host 10.158.2.11 host 10.193.1.1
deny   ip host 10.158.2.12 host 10.193.1.1
deny   ip 10.159.1.0 0.0.0.255 10.193.1.0 0.0.0.255
deny   ip 10.159.1.0 0.0.0.255 10.161.2.0 0.0.0.255
deny   ip 10.159.1.0 0.0.0.255 172.21.0.0 0.0.255.255
deny   ip 10.159.1.0 0.0.0.255 172.22.0.0 0.0.255.255
deny   ip 10.159.1.0 0.0.0.255 172.23.0.0 0.0.255.255
deny   ip 10.158.20.0 0.0.0.255 host 10.193.1.40
deny   ip 10.158.20.0 0.0.0.255 host 10.193.1.103
deny   ip 10.158.20.0 0.0.0.255 host 10.193.1.21
deny   ip 10.158.20.0 0.0.0.255 host 10.193.1.26
deny   ip 10.158.20.0 0.0.0.255 host 10.193.1.1
deny   ip host 10.158.2.150 host 10.193.1.11
deny   ip 10.50.0.0 0.0.255.255 10.161.3.0 0.0.0.1
permit ip 10.20.1.0 0.0.0.255 any
permit ip 10.30.1.0 0.0.0.255 any
permit ip 10.40.1.0 0.0.0.255 any
permit ip 10.50.1.0 0.0.0.255 any
permit ip 10.60.1.0 0.0.0.255 any
permit ip 10.70.1.0 0.0.0.255 any
permit ip 10.80.1.0 0.0.0.255 any
permit ip 10.90.1.0 0.0.0.255 any
permit ip 10.158.0.0 0.0.255.255 any
permit ip 10.159.0.0 0.0.255.255 any
permit ip 192.168.10.0 0.0.0.3 any
ip access-list extended SMMPH_ACL
deny   ip host 10.193.1.6 172.29.29.0 0.0.0.255
deny   ip 10.193.0.0 0.0.255.255 172.30.0.0 0.0.255.255
deny   ip 10.193.0.0 0.0.255.255 10.160.0.0 0.0.255.255
deny   ip 10.193.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny   ip 10.193.0.0 0.0.255.255 172.21.0.0 0.0.255.255
deny   ip 10.193.0.0 0.0.255.255 172.22.0.0 0.0.255.255
deny   ip 10.193.0.0 0.0.255.255 172.23.0.0 0.0.255.255
deny   ip 10.193.0.0 0.0.255.255 10.158.0.0 0.0.255.255
deny   ip host 10.193.1.1 10.30.1.0 0.0.0.255
deny   ip host 10.193.1.6 10.30.1.0 0.0.0.255
deny   ip host 10.193.1.61 10.30.1.0 0.0.0.255
deny   ip host 10.193.1.62 10.30.1.0 0.0.0.255
deny   ip host 10.193.1.21 10.30.1.0 0.0.0.255
deny   ip host 10.193.1.26 10.30.1.0 0.0.0.255
deny   ip host 10.193.1.1 10.40.1.0 0.0.0.255
deny   ip host 10.193.1.6 10.40.1.0 0.0.0.255
deny   ip host 10.193.1.61 10.40.1.0 0.0.0.255
deny   ip host 10.193.1.11 host 10.158.3.2
deny   ip host 10.193.1.11 host 10.158.3.3
deny   ip host 10.193.1.62 10.40.1.0 0.0.0.255
deny   ip host 10.193.1.21 10.40.1.0 0.0.0.255
deny   ip host 10.193.1.26 10.40.1.0 0.0.0.255
deny   ip 10.193.1.0 0.0.0.255 host 10.158.2.31
deny   ip host 10.193.1.40 10.158.20.0 0.0.0.255
deny   ip host 10.193.1.103 10.158.20.0 0.0.0.255
deny   ip host 10.193.1.21 10.158.20.0 0.0.0.255
deny   ip host 10.193.1.26 10.158.20.0 0.0.0.255
deny   ip host 10.193.1.1 10.158.20.0 0.0.0.255
deny   ip host 10.193.1.1 10.50.1.0 0.0.0.255
deny   ip host 10.193.1.6 10.50.1.0 0.0.0.255
deny   ip host 10.193.1.61 10.50.1.0 0.0.0.255
deny   ip host 10.193.1.62 10.50.1.0 0.0.0.255
deny   ip host 10.193.1.1 10.60.1.0 0.0.0.255
deny   ip host 10.193.1.6 10.60.1.0 0.0.0.255
deny   ip host 10.193.1.21 10.60.1.0 0.0.0.255
deny   ip host 10.193.1.26 10.60.1.0 0.0.0.255
deny   ip host 10.193.1.61 10.60.1.0 0.0.0.255
deny   ip host 10.193.1.21 10.50.1.0 0.0.0.255
deny   ip host 10.193.1.62 10.60.1.0 0.0.0.255
deny   ip host 10.193.1.26 10.50.1.0 0.0.0.255
deny   ip host 10.193.1.1 host 10.158.2.50
deny   ip host 10.193.1.6 host 10.158.2.50
deny   ip host 10.193.1.65 host 10.158.2.50
deny   ip host 10.193.1.1 host 10.158.2.11
deny   ip host 10.193.1.1 host 10.158.2.12
deny   ip 10.193.1.0 0.0.0.255 10.159.1.0 0.0.0.255
deny   ip host 10.193.1.61 10.158.3.0 0.0.0.255
deny   ip host 10.193.1.11 host 10.158.2.150
deny   ip 10.193.0.0 0.0.255.255 10.193.0.0 0.0.255.255
deny   ip 10.193.0.0 0.0.255.255 10.161.0.0 0.0.255.255
deny   ip 10.193.0.0 0.0.255.255 10.171.0.0 0.0.255.255
deny   ip 10.193.0.0 0.0.255.255 10.172.0.0 0.0.255.255
deny   ip 10.193.0.0 0.0.255.255 10.173.0.0 0.0.255.255
deny   ip 10.193.0.0 0.0.255.255 10.174.0.0 0.0.255.255
deny   ip 10.193.0.0 0.0.255.255 10.175.0.0 0.0.255.255
deny   ip 10.193.0.0 0.0.255.255 10.176.0.0 0.0.255.255
deny   ip 10.193.0.0 0.0.255.255 10.177.0.0 0.0.255.255
deny   ip 10.193.0.0 0.0.255.255 10.178.0.0 0.0.255.255
deny   ip 10.193.0.0 0.0.255.255 10.179.0.0 0.0.255.255
deny   ip 10.193.0.0 0.0.255.255 10.180.0.0 0.0.255.255
deny   ip 10.193.0.0 0.0.255.255 10.210.0.0 0.0.255.255
permit ip 10.193.0.0 0.0.255.255 any
ip access-list extended THPAL_ACL
deny   ip 10.161.0.0 0.0.255.255 10.160.0.0 0.0.255.255
deny   ip 10.161.2.0 0.0.0.255 host 10.158.3.2
deny   ip 10.161.2.0 0.0.0.255 host 10.158.3.3
deny   ip 10.161.2.0 0.0.0.255 host 10.158.2.103
deny   ip host 10.161.1.22 host 10.158.2.103
deny   ip 10.161.2.0 0.0.0.255 host 10.158.2.31
deny   ip host 10.161.1.32 10.158.10.0 0.0.0.255
deny   ip 10.161.2.0 0.0.0.255 host 10.158.2.50
deny   ip 10.161.0.0 0.0.255.255 10.161.0.0 0.0.255.255
deny   ip 10.161.0.0 0.0.255.255 10.171.0.0 0.0.255.255
deny   ip 10.161.0.0 0.0.255.255 10.172.0.0 0.0.255.255
deny   ip 10.50.0.0 0.0.255.255 10.161.3.0 0.0.0.1
deny   ip 10.161.0.0 0.0.255.255 10.173.0.0 0.0.255.255
deny   ip 10.161.0.0 0.0.255.255 10.174.0.0 0.0.255.255
deny   ip 10.161.0.0 0.0.255.255 10.175.0.0 0.0.255.255
deny   ip 10.161.0.0 0.0.255.255 10.176.0.0 0.0.255.255
deny   ip 10.161.0.0 0.0.255.255 10.177.0.0 0.0.255.255
deny   ip 10.161.0.0 0.0.255.255 10.178.0.0 0.0.255.255
deny   ip 10.161.0.0 0.0.255.255 10.179.0.0 0.0.255.255
deny   ip 10.161.0.0 0.0.255.255 10.180.0.0 0.0.255.255
deny   ip 10.161.0.0 0.0.255.255 10.193.0.0 0.0.255.255
deny   ip 10.161.0.0 0.0.255.255 10.210.0.0 0.0.255.255
deny   ip 10.161.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny   ip 10.161.0.0 0.0.255.255 172.21.0.0 0.0.255.255
deny   ip 10.161.0.0 0.0.255.255 172.22.0.0 0.0.255.255
deny   ip 10.161.0.0 0.0.255.255 172.23.0.0 0.0.255.255
deny   ip 10.161.0.0 0.0.255.255 192.168.1.0 0.0.0.255
deny   ip host 10.161.2.101 10.158.2.0 0.0.0.255
deny   ip 10.161.2.0 0.0.0.255 10.159.1.0 0.0.0.255
deny   ip host 10.161.2.102 10.158.2.0 0.0.0.255
deny   ip host 10.161.2.101 10.158.255.0 0.0.0.255
deny   ip host 10.161.2.102 10.158.255.0 0.0.0.255
deny   ip host 10.161.2.98 10.158.2.0 0.0.0.255
deny   ip host 10.161.2.96 10.158.2.0 0.0.0.255
deny   ip host 10.161.2.99 10.158.2.0 0.0.0.255
deny   ip host 10.161.2.97 10.158.2.0 0.0.0.255
deny   ip host 10.161.2.189 192.168.10.0 0.0.0.3
deny   ip host 10.161.2.173 host 10.158.2.33
deny   ip host 10.161.2.174 host 10.158.2.33
deny   ip host 10.161.2.172 host 10.158.2.33
permit ip 10.160.0.0 0.0.255.255 any
permit ip 10.161.0.0 0.0.255.255 any
permit ip 10.193.0.0 0.0.255.255 any
!
logging trap notifications
logging host 10.193.1.65
access-list 10 permit 10.158.2.12
access-list 10 permit 10.158.10.100
access-list 10 permit 10.158.10.101
access-list 10 permit 10.193.1.0 0.0.0.255 log
access-list 10 permit 10.161.2.0 0.0.0.255
access-list 10 permit 10.160.0.0 0.0.255.255
access-list 103 permit ip 10.203.0.0 0.0.255.255 10.160.0.0 0.0.255.255 log
access-list 103 permit ip 10.203.0.0 0.0.255.255 203.167.81.224 0.0.0.15
access-list 172 permit ip 172.21.0.0 0.0.255.255 10.193.0.0 0.0.255.255
access-list 172 permit ip 172.22.0.0 0.0.255.255 10.193.0.0 0.0.255.255
access-list 172 permit ip 172.21.0.0 0.0.255.255 10.173.0.0 0.0.255.255
access-list 172 permit ip 172.22.0.0 0.0.255.255 10.173.0.0 0.0.255.255
access-list 172 permit ip 172.21.0.0 0.0.255.255 10.161.3.0 0.0.0.255
access-list 172 permit ip 172.22.0.0 0.0.255.255 10.161.3.0 0.0.0.255
access-list 172 permit ip 172.21.0.0 0.0.255.255 10.194.0.0 0.0.255.255
access-list 172 permit ip 172.22.0.0 0.0.255.255 10.194.0.0 0.0.255.255
access-list 172 permit ip 172.21.0.0 0.0.255.255 10.174.0.0 0.0.255.255
access-list 172 permit ip 172.22.0.0 0.0.255.255 10.174.0.0 0.0.255.255
access-list 172 permit ip 172.21.0.0 0.0.255.255 10.210.0.0 0.0.255.255
access-list 172 permit ip 172.22.0.0 0.0.255.255 10.210.0.0 0.0.255.255
access-list 172 permit ip 172.21.0.0 0.0.255.255 10.176.0.0 0.0.255.255
access-list 172 permit ip 172.22.0.0 0.0.255.255 10.176.0.0 0.0.255.255
access-list 172 permit ip 172.22.0.0 0.0.255.255 10.161.0.0 0.0.255.255
access-list 172 permit ip 172.21.0.0 0.0.255.255 10.159.0.0 0.0.255.255
access-list 172 permit ip 172.22.0.0 0.0.255.255 10.159.0.0 0.0.255.255
!
route-map THPAL_RMAP permit 10
match ip address THPAL_ACL
set ip next-hop 10.160.1.3
!
route-map SMMPH_RMAP permit 10
match ip address SMMPH_ACL
set ip next-hop 10.160.1.3
!
route-map CBNC_RMAP permit 10
match ip address CBNC_ACL
set ip next-hop 10.158.2.6
!
!
snmp-server community MNLSMMPHSNMP.com.ph RO
!
!
line con 0
logging synchronous
login local
line vty 0 4
access-class 10 in
logging synchronous
login local
line vty 5 15
access-class 10 in
logging synchronous
login local
!
!
monitor session 1 source vlan 160 - 161 , 172 , 190 , 193 , 203
monitor session 1 destination interface Gi0/7
end

Marius Gunnerud · ‎02-10-2016

I would think this is most likely a firewall issue. Being able to ping the 10.193.1.6 address from the DMZ indicates that routing is correct. is the firewall an ASA? are you sure that that traffic flows through the firewall? Check the access rules on the inside interface, see if there is a rule allowing icmp traffic from 10.193.1.6 to 172.29.29.2.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎02-10-2016

I would think this is most likely a firewall issue. Being able to ping the 10.193.1.6 address from the DMZ indicates that routing is correct. is the firewall an ASA? are you sure that that traffic flows through the firewall? Check the access rules on the inside interface, see if there is a rule allowing icmp traffic from 10.193.1.6 to 172.29.29.2.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

drlbaluyut · ‎02-11-2016

Hi

Thank you. That worked!

I have other issues, I have the dmz host private ip address translated statically to the outside ip address which is public ip.

But I cannot ping that outside interface public ip from the DMZ host. Is that really the case?

Marius Gunnerud · ‎02-11-2016

That is how the ASA works by design. You can only ping the ingress interface, you can not ping an interface that is not the ingress interface.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

drlbaluyut · ‎02-11-2016

Hello Alright. Our current setup is we have RA VPN setup using the outside interface public ip. Then the DMZ host statically translated to outside interface public ip address which is the same ip for VPN.

Right now, i have a mobile device management but i cannot access it from outside (e.g. http://public ip address:8080/mobile)

My outside acl is permit any to my MDM dmz host. The service is IP.

I don't know what could be wrong

Marius Gunnerud · ‎02-11-2016

Do you have a NAT statement for this server / mobile device?

object network public_ip

host 1.2.3.4

object network private_ip

host 10.10.10.10

nat (inside,outside) static public_ip service tcp 8080 8080

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

drlbaluyut · ‎02-11-2016

Hi

I don't have that nat statement.

I only have this on below for the dmz to outside translation

object network mdmserver
host 172.29.29.2
nat (DMZ,outside) static interface

---------------------

Question on your nat statement

host 1.2.3.4 -> public ip for mdm server?,

object network private_ip

host 10.10.10.10 ->real ip for mdm server?

nat (inside,outside) static public_ip service tcp 8080 8080 -> shouldn't this be nat (dmz,outside)?

Thanks in advance

Marius Gunnerud · ‎02-11-2016

Keep in mind that these are just examples and you need to tailor them to your own needs.

in my example, 1.2.3.4 is the public IP and 10.10.10.10 would be the real IP / private IP.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

drlbaluyut · ‎02-11-2016

Hi

Yes I understand.

Why is it nat (inside,outside)? shouldn't it be nat (dmz,outside)?

Also, I cannot add this line for example in my config because it says that I overlaps with outside ip address.

my outside interface ip is 122.52.52.x

that's why I use

nat (DMZ,outside) static interface service tcp 8080 8080

Is it the right config? or do I need to use a public ip other than the outside interface's public IP?

Thanks

Marius Gunnerud · ‎02-11-2016

Why is it nat (inside,outside)? shouldn't it be nat (dmz,outside)?

I type inside because, as mentioned, it is just an example and I don't need to scroll through to remember the exact details and saves me some time.

nat (DMZ,outside) static interface service tcp 8080 8080

this nat statement should be placed under an object so for example.

object network dmz_server

host <private IP of server>

nat (DMZ,outside) static interface service tcp 8080 8080

The above command should not give you an error, but if it does give you the error i suggest trying a different NAT statement like the following:

object network dmz_server

host <private IP of server>

object service TCP_8080
service tcp source eq 8080

nat (DMZ,outside) source static dmz_server interface service TCP_8080 TCP_8080

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

drlbaluyut · ‎02-11-2016

Hi

Yes. I now have that config but still does not work. Is route needed for dmz network to access it from outside?

Thanks

Marius Gunnerud · ‎02-11-2016

Do you have an access list entry on the outside interface for this traffic?

access-list dmz_in extended permit tcp any <private ip of server>

access-group dmz_in in interface outside

If you already have an ACL on the outside interface just add the statement to that ACL.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

drlbaluyut · ‎02-11-2016

Hi

Yes i have that config also.

MY setup is simple. Dmz interface connected to a vlan switchport on layer3 core sw.

Not sure what i'm missing or do i need to use a public ip other than the outside int ip address but i dont have other public ip

Marius Gunnerud · ‎02-11-2016

No you do not need another public IP. Could you post your full ASA configuration (remove/change public IPs, usernames and passwords).

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Cisco ASA 9.1 DMZ host can ping specific inside server but inside server cannot ping the DMZ host