Unable to ping inside to dmz on asa

mightymark · ‎03-20-2018

Hello everyone,

I'm new to asa configuration and i'm having a lot of problems.

I'm unable to ping from my inside host to the server within the dmz zone.

i'm using packet tracer 7.1.1 and my config will be below.

Any help would be gratefully welcomed because i want to learn.

ASA Version 8.4(2)
!
hostname ciscoasa
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 1
!
interface Ethernet0/4
switchport access vlan 1
!
interface Ethernet0/5
switchport access vlan 1
!
interface Ethernet0/6
switchport access vlan 1
!
interface Ethernet0/7
switchport access vlan 1
!
interface Vlan1
nameif Inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Vlan2
nameif Outside
security-level 0
ip address 209.165.200.226 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif DMZ
security-level 50
ip address 172.16.2.0 255.255.255.0
!
object network LAN
subnet 172.16.1.0 255.255.255.0
!
route Outside 0.0.0.0 0.0.0.0 209.165.200.225 1
route DMZ 0.0.0.0 0.0.0.0 209.165.200.225 1
!
access-list ACL-OUTSIDE extended permit icmp any any
!
!
access-group ACL-OUTSIDE in interface Outside
object network LAN
nat (Inside,Outside) dynamic interface
!
!
!
!
!
!
!
telnet timeout 5
ssh timeout 5
!
dhcpd dns 8.8.8.8
dhcpd auto_config outside
!
dhcpd address 172.16.1.5-172.16.1.6 Inside
dhcpd dns 8.8.8.8 interface Inside
dhcpd enable Inside
!
!
!
!
!
!

Florin Barhala · ‎03-21-2018

ASA config looks good. To double test this please run:
packet-tracer input inside icmp src_IP_server_inside 8 0 dst_IP_server_DMZ

If it reports packet is allowed then you have to check:
- default GW proper config on both IP_server_inside and IP_server_DMZ
- Windows / IPTABLES FW status on each server

Also post the output of "show service-policy global"

mightymark · ‎03-21-2018

I keep getting invalid command when I try to run any of them commands, can I double check I run this from the command prompt on the inside pc1?

Florin Barhala · ‎03-21-2018

I am not sure about your question. Can you just post/share the error you receive?

mightymark · ‎03-21-2018

Sorry, when I try and run the command it says “not recognised” does packet tracer not support this command no more in the version 7.1.1?

I tried to run it in exec mode on the asa device

Florin Barhala · ‎03-21-2018

Use "?" after each command and see what's the issue.
What about:
"If it reports packet is allowed then you have to check:
- default GW proper config on both IP_server_inside and IP_server_DMZ
- Windows / IPTABLES FW status on each server

Also post the output of "show service-policy global" "

mightymark · ‎03-21-2018

This is what i see when i do the ?, i can't see any of the options you have asked me to type in?

Florin Barhala · ‎03-21-2018

You have to run packet tracer outside of config mode.

mightymark · ‎03-21-2018

I was wondering if you could tell me how I do that as I’m really new to all this and all I’ve ever been taught is the enable and config t command. If I go out that alll together, it just gives me 1 command I can use

mightymark · ‎03-21-2018

I know what you mean now, I only get one option when I do that and that’s show version.