Hello Jon,

The config is the next:

nat (inside) 0 192.168.0.0 255.255.0.0 0 0

nat (dmz1) 0 192.168.1.0 255.255.255.0 0 0

nat (dmz2) 0 192.168.2.0 255.255.255.0 0 0

static (inside,dmz2) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

static (dmz1,dmz2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

access-list dmz1 permit tcp any any

access-list dmz1 permit udp any any

access-list dmz2 permit icmp any any

access-list dmz2 permit tcp any any

access-list dmz2 permit udp any any

I don't know what's happening but I can't run icmp echo request from 192.168.2.0 to 192.168.1.0. Do I have to configure something else?

What security levels are dmz1 and dmz2 ?

Jon

Hi Jon,

The security level are:

nameif ethernet1 inside security100

nameif ethernet2 dmz1 security80

nameif ethernet3 dmz2 security70

It's weird because if I run icmp echo from 192.168.1.0 to 192.168.2.0, later I can run icmp echo request from 192.168.2.0 to 192.168.1.0. It seems something of ARP.

What about this? Should do I remove this lines?

sysopt noproxyarp inside

sysopt noproxyarp dmz1

sysopt noproxyarp dmz2

Thanks a lot, best regards.

Can you try enabling proxyarp on the dmz2 interface and retest.

Before you do the above can you clear the arp table and the xlate table (assuming this is not an active production firewall with active connections).

If this doesn't work then please post the full configuration.

Jon

Hello Jon,

Thank you very much, it was a static NAT issue.

Thanks, best regards.