Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9165
Views
5
Helpful
3
Replies

Hosts on inside cannot ping hosts on dmz, why? (ASA 5505)

ralf.rottmann
Level 1
Level 1

‎05-14-2012 11:52 PM - edited ‎03-11-2019 04:06 PM

Hi there,

With our below configuration, hosts on the inside network (10.0.1.0/24) cannot ping the host 10.0.2.200 on the dmz network. What do we have to add/change to make this possible? We also want hosts on inside to be able to do a Mac OS Remote Desktop connection to the host on 10.0.2.200. From the documentation we were to believe, that all traffic from higher security networks (inside) to lower security networks (dmz) would be permitted by default.

Looking forward to your help. Has always been speedy and fantastic. Thanks in advance!

: Saved

:

ASA Version 8.4(3)

!

hostname ***

domain-name ***

enable password *** encrypted

passwd *** encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 12

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 195.14.245.70 255.255.255.224

!

interface Vlan12

nameif dmz

security-level 50

ip address 10.0.2.1 255.255.255.0

!

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server ***

name-server ***

domain-name ***

object network obj_any

subnet 0.0.0.0 0.0.0.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (dmz,outside) source dynamic obj_any interface

!

object network obj_any

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 195.14.245.65 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.0.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

    ***

  quit

telnet timeout 5

ssh 10.0.1.0 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd dns *** ***

dhcpd auto_config inside

!            

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username *** password *** encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

class class-default

  user-statistics accounting

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

hpm topN enable

Cryptochecksum:***

: end

2 people had this problem
Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎05-15-2012 12:21 AM

You need to configure static NAT translation as follows:

object network obj-10.0.1.0

   subnet 10.0.1.0 255.255.255.0

object network obj-10.0.2.0

   subnet 10.0.2.0 255.255.255.0

nat (inside,dmz) source static obj-10.0.1.0 obj-10.0.1.0 destination static obj-10.0.2.0 obj-10.0.2.0

policy-map global_policy

   class inspection_default

           inspect icmp

Hope that helps.

0 Helpful

ralf.rottmann
Level 1
Level 1

‎05-15-2012 12:30 AM

Thanks, Jennifer. Will try asap. Two more questions:

1. Why is this required? Isn't traffic from a higher security level to a lower security level supposed to just work?

2. Will this also solve the remote desktop thing or just facilitate ICMP/Ping?

Sent from Cisco Technical Support iPhone App

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to ralf.rottmann

‎05-15-2012 01:07 AM

1. Translation is required, however access-list is not required as you advise from high to low security level.

2. Yes, it will resolve both ping and remote desktop issue.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card