Showing results for 
Search instead for 
Did you mean: 


Hosts on inside cannot ping hosts on dmz, why? (ASA 5505)

Hi there,

With our below configuration, hosts on the inside network ( cannot ping the host on the dmz network. What do we have to add/change to make this possible? We also want hosts on inside to be able to do a Mac OS Remote Desktop connection to the host on From the documentation we were to believe, that all traffic from higher security networks (inside) to lower security networks (dmz) would be permitted by default.

Looking forward to your help. Has always been speedy and fantastic. Thanks in advance!

: Saved


ASA Version 8.4(3)


hostname ***

domain-name ***

enable password *** encrypted

passwd *** encrypted



interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7

switchport access vlan 12


interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address


interface Vlan12

nameif dmz

security-level 50

ip address


ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server ***

name-server ***

domain-name ***

object network obj_any


pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (dmz,outside) source dynamic obj_any interface


object network obj_any

nat (inside,outside) dynamic interface

route outside 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http inside

http outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491



telnet timeout 5

ssh inside

ssh outside

ssh timeout 5

console timeout 0

dhcpd dns *** ***

dhcpd auto_config inside


threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200


username *** password *** encrypted privilege 15


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

class class-default

  user-statistics accounting


service-policy global_policy global

prompt hostname context

call-home reporting anonymous

hpm topN enable


: end

Jennifer Halim
Cisco Employee

You need to configure static NAT translation as follows:

object network obj-


object network obj-


nat (inside,dmz) source static obj- obj- destination static obj- obj-

policy-map global_policy

   class inspection_default

           inspect icmp

Hope that helps.


Thanks, Jennifer. Will try asap. Two more questions:

1. Why is this required? Isn't traffic from a higher security level to a lower security level supposed to just work?

2. Will this also solve the remote desktop thing or just facilitate ICMP/Ping?

Sent from Cisco Technical Support iPhone App

1. Translation is required, however access-list is not required as you advise from high to low security level.

2. Yes, it will resolve both ping and remote desktop issue.

Recognize Your Peers
Content for Community-Ad