- Cisco Community
- Technology and Support
- Security
- Network Security
- Hello, As soon as you enable
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2014 01:59 AM - edited 03-11-2019 08:55 PM
Hi,
I cannot ping from LAN to DMZ public IP address.
I can ping to DMZ internal 172.16.0.x address from LAN.
DMZ LAN also can ping to Internal LAN.
If I add this config "static (DMZ,Inside) x.x.x.61 172.16.0.12 netmask 255.255.255.255"
Internal LAN cannot ping to DMZ private IP address. I can ping to DMZ public IP address.
I want to ping from LAN to DMZ private IP and DMZ Public IP address.
Please help me...
ASA Version 7.2(4)34
!
hostname ASAKT
names
!
interface Ethernet0/0
description Link to Starhub
nameif Outside
security-level 0
ip address x.x.x.x 255.255.255.240
!
interface Ethernet0/1
description Link to Internal 100.x
nameif Inside
security-level 100
ip address 192.168.100.254 255.255.255.0
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.100
vlan 100
nameif DMZ100
security-level 50
ip address 172.16.100.254 255.255.255.0
!
interface Ethernet0/2.101
vlan 101
nameif DMZ101
security-level 50
ip address 172.16.101.254 255.255.255.0
!
interface Ethernet0/2.102
vlan 102
nameif DMZ102
security-level 50
ip address 172.16.102.254 255.255.255.0
!
interface Ethernet0/2.103
vlan 103
nameif DMZ103
security-level 50
ip address 172.16.103.254 255.255.255.0
!
interface Ethernet0/2.104
vlan 104
nameif DMZ104
security-level 50
ip address 172.16.104.254 255.255.255.0
!
interface Ethernet0/2.105
vlan 105
nameif DMZ105
security-level 50
ip address 172.16.105.254 255.255.255.0
!
interface Ethernet0/2.106
vlan 106
nameif DMZ106
security-level 50
ip address 172.16.106.254 255.255.255.0
!
interface Ethernet0/2.107
vlan 107
nameif DMZ107
security-level 50
ip address 172.16.107.254 255.255.255.0
!
interface Ethernet0/2.108
vlan 108
nameif DMZ108
security-level 50
ip address 172.16.108.254 255.255.255.0
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Ethernet0/3.10
vlan 10
nameif DMZ
security-level 50
ip address 172.16.0.254 255.255.255.0
!
interface Ethernet0/3.100
no vlan
no nameif
no security-level
no ip address
!
interface Ethernet0/3.101
no vlan
no nameif
no security-level
no ip address
!
interface Ethernet0/3.102
no vlan
no nameif
no security-level
no ip address
!
interface Ethernet0/3.103
no vlan
no nameif
no security-level
no ip address
!
interface Ethernet0/3.104
no vlan
no nameif
no security-level
no ip address
!
interface Ethernet0/3.105
no vlan
no nameif
no security-level
no ip address
!
interface Ethernet0/3.106
no vlan
no nameif
no security-level
no ip address
!
interface Ethernet0/3.107
no vlan
no nameif
no security-level
no ip address
!
interface Ethernet0/3.108
no vlan
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
banner motd Do not attempt unauthorized access.
banner motd Do not attempt unauthorized access.
banner motd Do not attempt unauthorized access.
banner motd Do not attempt unauthorized access.
banner motd Do not attempt unauthorized access.
banner motd Do not attempt unauthorized access.
banner motd Do not attempt unauthorized access.
banner motd Do not attempt unauthorized access.
boot system disk0:/asa724-34-k8.bin
ftp mode passive
clock timezone MYT 8
dns server-group DefaultDNS
domain-name sxxxxxx
same-security-traffic permit intra-interface
object-group service TCP7760 tcp
port-object eq 7760
object-group service UDP7760 udp
port-object eq 7760
access-list Outside_in_DMZ extended permit tcp any host x.x.x.58 eq 3389
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 eq 3389
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 eq 3478
access-list Outside_in_DMZ extended permit udp any host x.x.x.52 eq 3478
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 eq 5349
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 eq https
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 eq www
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 eq domain
access-list Outside_in_DMZ extended permit udp any host x.x.x.52 eq domain
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 eq 5269
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 range 50000 59999
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 eq 3389
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 eq 3478
access-list Outside_in_DMZ extended permit udp any host x.x.x.53 eq 3478
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 eq 5349
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 eq https
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 eq www
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 eq domain
access-list Outside_in_DMZ extended permit udp any host x.x.x.53 eq domain
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 eq 5269
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 range 50000 59999
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 range sip 5065
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 range sip 5065
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 eq 3389
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 eq 3478
access-list Outside_in_DMZ extended permit udp any host x.x.x.54 eq 3478
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 eq 5349
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 eq https
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 eq www
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 eq domain
access-list Outside_in_DMZ extended permit udp any host x.x.x.54 eq domain
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 eq 5269
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 range 50000 59999
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 range sip 5065
access-list Outside_in_DMZ extended permit tcp any host x.x.x.55 eq 3389
access-list Outside_in_DMZ extended permit tcp any host x.x.x.55 eq 3478
access-list Outside_in_DMZ extended permit udp any host x.x.x.55 eq 3478
access-list Outside_in_DMZ extended permit tcp any host x.x.x.55 eq 5349
access-list Outside_in_DMZ extended permit tcp any host x.x.x.55 eq https
access-list Outside_in_DMZ extended permit tcp any host x.x.x.55 eq www
access-list Outside_in_DMZ extended permit tcp any host x.x.x.55 eq domain
access-list Outside_in_DMZ extended permit udp any host x.x.x.55 eq domain
access-list Outside_in_DMZ extended permit tcp any host x.x.x.55 eq 5269
access-list Outside_in_DMZ extended permit tcp any host x.x.x.55 range 50000 59999
access-list Outside_in_DMZ extended permit tcp any host x.x.x.55 range sip 5065
access-list Outside_in_DMZ extended permit tcp any host x.x.x.57 eq domain
access-list Outside_in_DMZ extended permit udp any host x.x.x.57 eq domain
access-list Outside_in_DMZ extended permit tcp any host x.x.x.56 eq 3478
access-list Outside_in_DMZ extended permit udp any host x.x.x.56 eq 3478
access-list Outside_in_DMZ extended permit tcp any host x.x.x.56 eq 5349
access-list Outside_in_DMZ extended permit tcp any host x.x.x.56 eq https
access-list Outside_in_DMZ extended permit tcp any host x.x.x.56 eq www
access-list Outside_in_DMZ extended permit tcp any host x.x.x.56 eq domain
access-list Outside_in_DMZ extended permit udp any host x.x.x.56 eq domain
access-list Outside_in_DMZ extended permit tcp any host x.x.x.56 eq 5269
access-list Outside_in_DMZ extended permit tcp any host x.x.x.56 range 50000 59999
access-list Outside_in_DMZ extended permit tcp any host x.x.x.56 range sip 5065
access-list Outside_in_DMZ extended permit tcp any host x.x.x.57 eq www
access-list Outside_in_DMZ extended permit tcp any host x.x.x.57 eq https
access-list Outside_in_DMZ extended permit tcp any host x.x.x.57 eq 3389
access-list Outside_in_DMZ extended permit udp any host x.x.x.56 range 50000 59999
access-list Outside_in_DMZ extended permit tcp any host x.x.x.57 eq 88
access-list Outside_in_DMZ extended permit tcp any host x.x.x.57 eq 81
access-list Outside_in_DMZ extended permit icmp any host x.x.x.57
access-list Outside_in_DMZ extended permit tcp any host 192.168.100.2 range 40000 64999
access-list Outside_in_DMZ extended permit udp any host 192.168.100.2 range 40000 64999
access-list Outside_in_DMZ extended permit tcp host x.x.x.8 host 192.168.100.2 range 40000 64999
access-list Outside_in_DMZ extended permit udp host x.x.x.8 host 192.168.100.2 range 40000 64999
access-list Outside_in_DMZ extended permit udp host x.x.x.8 host x.x.x.56 eq 7760
access-list Outside_in_DMZ extended permit tcp host x.x.x.8 host x.x.x.56 eq 7760
access-list Outside_in_DMZ extended permit tcp any host 192.168.100.13 eq 7760
access-list Outside_in_DMZ extended permit udp any host 192.168.100.13 eq 7760
access-list Outside_in_DMZ extended permit icmp any host x.x.x.56
access-list Outside_in_DMZ extended permit tcp any host x.x.x.56 eq 3389
access-list Outside_in_DMZ extended permit icmp any any time-exceeded
access-list Outside_in_DMZ extended permit icmp any any unreachable
access-list Outside_in_DMZ extended permit icmp any any
access-list Outside_in_DMZ extended permit icmp any any source-quench
access-list Outside_in_DMZ extended permit icmp any any echo
access-list Outside_in_DMZ extended permit tcp any host x.x.x.56 eq sip
access-list Outside_in_DMZ extended permit udp any host x.x.x.56 eq sip
access-list Outside_in_DMZ extended permit udp host x.x.x.8 host x.x.x.56 eq sip
access-list Outside_in_DMZ extended permit tcp host x.x.x.8 host x.x.x.56 eq sip
access-list Outside_in_DMZ extended permit tcp any host 192.168.100.13 eq sip
access-list Outside_in_DMZ extended permit udp any host 192.168.100.13 eq sip
access-list Outside_in_DMZ extended permit tcp any host x.x.x.50 eq 1000
access-list Outside_in_DMZ extended permit tcp any host x.x.x.50 eq 1001
access-list Outside_in_DMZ extended permit tcp any host x.x.x.50 eq 1002
access-list Outside_in_DMZ extended permit gre any host x.x.x.51
access-list Outside_in_DMZ extended permit udp any host x.x.x.51 eq isakmp
access-list Outside_in_DMZ extended permit udp any host x.x.x.51 eq 47
access-list Outside_in_DMZ extended permit tcp any host x.x.x.51 eq 47
access-list Outside_in_DMZ extended permit tcp any host x.x.x.51 eq pptp
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 eq 5949
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 eq 6049
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 eq 6149
access-list Outside_in_DMZ extended permit icmp any host x.x.x.59
access-list Outside_in_DMZ extended permit icmp any host x.x.x.60
access-list Outside_in_DMZ extended permit ip any host x.x.x.59
access-list Outside_in_DMZ extended permit ip any host x.x.x.60
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 eq sip
access-list Outside_in_DMZ extended permit tcp any host x.x.x.52 eq 5061
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 eq 5061
access-list Outside_in_DMZ extended permit tcp any host x.x.x.53 eq sip
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 eq sip
access-list Outside_in_DMZ extended permit tcp any host x.x.x.54 eq 5061
access-list Outside_in_DMZ extended permit tcp any host x.x.x.62 eq www
access-list Outside_in_DMZ extended permit tcp any host x.x.x.62 eq https
access-list Outside_in_DMZ extended permit tcp any host x.x.x.62 eq 3389
access-list Outside_in_DMZ extended permit tcp any host x.x.x.62 eq 88
access-list Outside_in_DMZ extended permit tcp any host x.x.x.62 eq 81
access-list Outside_in_DMZ extended permit icmp any host x.x.x.62
access-list Outside_in_DMZ extended permit tcp any host x.x.x.62 eq domain
access-list Outside_in_DMZ extended permit udp any host x.x.x.62 eq domain
access-list Outside_in_DMZ extended permit ip any host x.x.x.58
access-list Outside_in_DMZ extended permit ip any host x.x.x.69
access-list Outside_in_DMZ extended permit tcp any host x.x.x.61 eq smtp
access-list Outside_in_DMZ extended permit tcp any host x.x.x.61 eq domain
access-list Outside_in_DMZ extended permit udp any host x.x.x.61 eq www
access-list Outside_in_DMZ extended permit tcp any host x.x.x.61 eq pop3
access-list Outside_in_DMZ extended permit tcp any host x.x.x.61 eq imap4
access-list Outside_in_DMZ extended permit tcp any host x.x.x.61 eq https
access-list Outside_in_DMZ extended permit tcp any host x.x.x.61 eq 587
access-list Outside_in_DMZ extended permit udp any host x.x.x.61 eq 993
access-list Outside_in_DMZ extended permit tcp any host x.x.x.61 eq 2220
access-list Outside_in_DMZ extended permit udp any host x.x.x.61 eq domain
access-list Outside_in_DMZ extended permit udp any host x.x.x.51 eq 22545
access-list Outside_in_DMZ extended permit tcp any host x.x.x.51 eq 22545
access-list Outside_in_DMZ extended permit udp any host x.x.x.51 eq 22544
access-list Outside_in_DMZ extended permit tcp any host x.x.x.51 eq 22544
access-list Outside_in_DMZ extended permit udp any host x.x.x.51 eq 22543
access-list Outside_in_DMZ extended permit tcp any host x.x.x.51 eq 22543
access-list Outside_in_DMZ extended permit udp any host x.x.x.51 eq 22542
access-list Outside_in_DMZ extended permit tcp any host x.x.x.51 eq 22542
access-list Outside_in_DMZ extended permit udp any host x.x.x.51 eq 22541
access-list Outside_in_DMZ extended permit tcp any host x.x.x.51 eq 22541
access-list Outside_in_DMZ extended permit udp any host x.x.x.51 eq 22540
access-list Outside_in_DMZ extended permit tcp any host x.x.x.51 eq 22540
access-list Outside_in_DMZ extended permit udp any host x.x.x.60 eq 22540
access-list Outside_in_DMZ extended permit tcp any host x.x.x.60 eq 22540
access-list Outside_in_DMZ extended permit udp any host x.x.x.60 eq 22541
access-list Outside_in_DMZ extended permit tcp any host x.x.x.60 eq 22541
access-list Outside_in_DMZ extended permit udp any host x.x.x.60 eq 22542
access-list Outside_in_DMZ extended permit tcp any host x.x.x.60 eq 22542
access-list Outside_in_DMZ extended permit udp any host x.x.x.60 eq 22543
access-list Outside_in_DMZ extended permit tcp any host x.x.x.60 eq 22543
access-list Outside_in_DMZ extended permit udp any host x.x.x.60 eq 22544
access-list Outside_in_DMZ extended permit tcp any host x.x.x.60 eq 22544
access-list Outside_in_DMZ extended permit udp any host x.x.x.60 eq 22545
access-list Outside_in_DMZ extended permit tcp any host x.x.x.60 eq 22545
access-list Outside_in_DMZ extended permit udp any host x.x.x.58 eq www
access-list Outside_in_DMZ extended permit tcp any host x.x.x.58 eq https
access-list Outside_in_DMZ extended permit icmp any host x.x.x.58
access-list DMZ_in_Internal extended permit ip any any
access-list Inside_in_Internal extended permit ip 192.168.100.0 255.255.255.0 host 172.16.0.5
access-list Inside_in_Internal extended permit tcp 192.168.100.0 255.255.255.0 host 172.16.0.5 eq www
access-list Inside_in_Internal extended permit ip 192.168.100.0 255.255.255.0 host 172.16.0.13
access-list Inside_in_Internal extended permit tcp 192.168.100.0 255.255.255.0 host 172.16.0.13 eq www
access-list Inside_in_Internal extended permit tcp 192.168.100.0 255.255.255.0 host 172.16.0.13 eq https
access-list Inside_access_in extended permit tcp host x.x.x.8 host 192.168.100.13 object-group TCP7760
access-list Inside_access_in extended permit udp host x.x.x.8 host 192.168.100.13 object-group UDP7760
access-list Pfingo_In extended permit tcp host x.x.x.8 host 192.168.100.13 eq 7760
access-list Pfingo_In extended permit udp host x.x.x.8 host 192.168.100.13 eq 7760
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.120.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.130.0 255.255.255.0
access-list INSIDE-NAT0 extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 102 extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 192.168.50.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.100.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.50.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 192.168.100.0 255.255.255.0 192.168.120.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 192.168.50.0 255.255.255.0 192.168.120.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.120.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list splittun-vpngrup1 extended permit ip 192.168.100.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list splittun-vpngrup1 extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list splittun-vpngrup1 extended permit ip 192.168.110.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list splittun-vpngrup1 extended permit ip 192.168.120.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 192.168.100.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 192.168.110.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 192.168.120.0 255.255.255.0
access-list DMZ_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu DMZ100 1500
mtu DMZ101 1500
mtu DMZ102 1500
mtu DMZ103 1500
mtu DMZ104 1500
mtu DMZ105 1500
mtu DMZ106 1500
mtu DMZ107 1500
mtu DMZ108 1500
mtu DMZ 1500
mtu management 1500
ip local pool ippool 192.168.50.10-192.168.50.40 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
global (DMZ100) 101 interface
global (DMZ101) 101 interface
global (DMZ102) 101 interface
global (DMZ103) 101 interface
global (DMZ104) 101 interface
global (DMZ105) 101 interface
global (DMZ106) 101 interface
global (DMZ107) 101 interface
global (DMZ108) 101 interface
global (DMZ) 101 interface
nat (Outside) 0 access-list outside_nat0_outbound
nat (Inside) 0 access-list inside_nat0_outbound
nat (Inside) 101 192.168.100.0 255.255.255.0
nat (DMZ100) 101 172.16.100.0 255.255.255.0
nat (DMZ101) 101 172.16.101.0 255.255.255.0
nat (DMZ102) 101 172.16.102.0 255.255.255.0
nat (DMZ103) 101 172.16.103.0 255.255.255.0
nat (DMZ104) 101 172.16.104.0 255.255.255.0
nat (DMZ105) 101 172.16.105.0 255.255.255.0
nat (DMZ106) 101 172.16.106.0 255.255.255.0
nat (DMZ107) 101 172.16.107.0 255.255.255.0
nat (DMZ108) 101 172.16.108.0 255.255.255.0
static (Inside,Outside) tcp x.x.x.50 1000 192.168.100.87 www netmask 255.255.255.255
static (Inside,Outside) tcp x.x.x.50 1001 192.168.100.88 www netmask 255.255.255.255
static (Inside,Outside) tcp x.x.x.50 1002 192.168.100.89 www netmask 255.255.255.255
static (Inside,Outside) x.x.x.56 192.168.100.13 netmask 255.255.255.255
static (DMZ,Outside) x.x.x.55 172.16.0.4 netmask 255.255.255.255
static (DMZ,Outside) x.x.x.57 172.16.0.5 netmask 255.255.255.255
static (DMZ,Outside) x.x.x.52 172.16.0.7 netmask 255.255.255.255
static (DMZ,Outside) x.x.x.53 172.16.0.8 netmask 255.255.255.255
static (DMZ,Outside) x.x.x.54 172.16.0.9 netmask 255.255.255.255
static (DMZ,Outside) x.x.x.62 172.16.0.13 netmask 255.255.255.255
static (DMZ,Outside) x.x.x.61 172.16.0.12 netmask 255.255.255.255
static (DMZ101,Outside) x.x.x.164 172.16.101.1 netmask 255.255.255.255
static (DMZ103,Outside) x.x.x.166 172.16.103.1 netmask 255.255.255.255
static (DMZ102,Outside) x.x.x.165 172.16.102.1 netmask 255.255.255.255
static (DMZ104,Outside) x.x.x.167 172.16.104.1 netmask 255.255.255.255
static (DMZ105,Outside) x.x.x.168 172.16.105.1 netmask 255.255.255.255
static (DMZ106,Outside) x.x.x.169 172.16.106.1 netmask 255.255.255.255
static (DMZ107,Outside) x.x.x.170 172.16.107.1 netmask 255.255.255.255
static (DMZ101,Outside) x.x.x.163 172.16.101.2 netmask 255.255.255.255
static (DMZ101,Outside) x.x.x.174 172.16.101.3 netmask 255.255.255.255
static (DMZ101,Outside) x.x.x.171 172.16.101.4 netmask 255.255.255.255
static (DMZ101,Outside) x.x.x.172 172.16.101.5 netmask 255.255.255.255
static (DMZ,Outside) x.x.x.59 172.16.0.6 netmask 255.255.255.255
static (Inside,Outside) x.x.x.60 192.168.100.102 netmask 255.255.255.255
static (Inside,Outside) x.x.x.58 192.168.100.189 netmask 255.255.255.255
no threat-detection statistics tcp-intercept
access-group Outside_in_DMZ in interface Outside
access-group DMZ_in_Internal in interface DMZ
route Outside 0.0.0.0 0.0.0.0 x.x.x.49 1
Thanks ,
infoakh
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2014 05:31 AM
The reason you lose connectivity to the DMZ when you enter the command:
static (DMZ,Inside) x.x.x.61 172.16.0.12 netmask 255.255.255.255
is because as of this point you will be NATing all ports to 172.16.0.12, so you are effectively saying that only that private IP should be reacable.
Is there a particular reason you want to be able to ping the public address of the DMZ from the internal network?
As the public IP is associated with the outside interface, the ASA will not allow you ping this IP because the packet would need to leave the outside interface and the be routed back to the ASA, so basically the ASA will see this as a spoofed packet and drop it. The only way around this is to configure NAT. But this depends really on what you are trying to do. If you just want to ping the public DMZ address for the sake of pinging it, this can become a very ugly and unstable configuration. However, if you are trying to allow users to connect to the company web server using the public IP, for example, because that is what the DNS server resolves the FQDN to then you could use DNS doctoring, depending on where the DNS server is located of course.
Please define your requirements for being able to ping the public IP of the DMZ so we can help you further.
--
Please remember to rate and select a correct answer
Please remember to select a correct answer and rate helpful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2014 05:45 AM
Hello,
As soon as you enable the static nat you mentioned you will be able to only access the server via it's public IP.
Why would you like to access it via both IPs anyway?
When you point it to the public IP do the following
packet-tracer input inside tcp x.x.x.x 1025 y.y.y.y 3389
Where x.x.x it's an Internal IP
and y.y.y.y is the public IP of the server sitting on the DMZ
Regards
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2014 05:31 AM
The reason you lose connectivity to the DMZ when you enter the command:
static (DMZ,Inside) x.x.x.61 172.16.0.12 netmask 255.255.255.255
is because as of this point you will be NATing all ports to 172.16.0.12, so you are effectively saying that only that private IP should be reacable.
Is there a particular reason you want to be able to ping the public address of the DMZ from the internal network?
As the public IP is associated with the outside interface, the ASA will not allow you ping this IP because the packet would need to leave the outside interface and the be routed back to the ASA, so basically the ASA will see this as a spoofed packet and drop it. The only way around this is to configure NAT. But this depends really on what you are trying to do. If you just want to ping the public DMZ address for the sake of pinging it, this can become a very ugly and unstable configuration. However, if you are trying to allow users to connect to the company web server using the public IP, for example, because that is what the DNS server resolves the FQDN to then you could use DNS doctoring, depending on where the DNS server is located of course.
Please define your requirements for being able to ping the public IP of the DMZ so we can help you further.
--
Please remember to rate and select a correct answer
Please remember to select a correct answer and rate helpful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2014 07:31 PM
Hi,
Thanks all your answer, so if I will access to Public IP from LAN,no way to access to DMZ LAN IP address?
Thanks,
infoakh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2014 05:45 AM
Hello,
As soon as you enable the static nat you mentioned you will be able to only access the server via it's public IP.
Why would you like to access it via both IPs anyway?
When you point it to the public IP do the following
packet-tracer input inside tcp x.x.x.x 1025 y.y.y.y 3389
Where x.x.x it's an Internal IP
and y.y.y.y is the public IP of the server sitting on the DMZ
Regards
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
