Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
798
Views
5
Helpful
3
Replies

inside to dmz

adel85
Level 1
Level 1

‎11-29-2021 02:42 AM

my post marked as spam i dont know why

i am doing a lab with packet tracer and i cant reach inside network to dmz 

asa config 

 

hostname ciscoasa
names
!
interface GigabitEthernet1/1
nameif dmz
security-level 50
ip address 172.19.3.1 255.255.255.252
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 172.19.254.1 255.255.255.252
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
no security-level
no ip address
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
shutdown

!
route inside 172.19.2.0 255.255.255.252 172.19.254.2 1
route inside 172.19.4.0 255.255.255.0 172.19.254.2 1
!
!
!
!
!
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect tftp
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5

0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎11-29-2021 03:44 AM

@adel85 how are you testing? Provide the output of packet-tracer command from the CLI.

 

If you are pinging the DMZ interface of the ASA when connecting from the inside network, that will never work by design - the ASA won't allow you to do that.

 

You have a /30 on the DMZ interface so you cannot add any DMZ hosts, you will need static routes for the DMZ hosts network.

adel85
Level 1
Level 1
In response to Rob Ingram

‎11-29-2021 08:41 AM

i only have one host behind that /30 subnet, 172.19.3.2

i can ping it if i raise the security level to 100 but when i make it 50 ping stops ( check attachment)

Preview file
118 KB
Preview file
37 KB
0 Helpful

Rob Ingram
VIP
VIP
In response to adel85

‎11-29-2021 08:49 AM

@adel85 ok, I assumed you'd have a switch if using a /30 network.

 

Regardless you need to permit the return ICMP traffic, either create an ACL to permit the ICMP traffic or run the command fixup protocol icmp to inspect the ICMP traffic, this should allow the ping to respond.

 

By default traffic between interfaces of the same security level is permitted, traffic from a lower security to a high level is denied - as you've found out. Hence why you need an ACL to specify the traffic or if just ICMP use the command specified above to inspect.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card