Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
514
Views
0
Helpful
3
Replies

ICMP returns going to inside instead of returning to DMZ source

Robert Anderson
Level 1
Level 1

‎06-23-2014 07:35 PM - edited ‎03-03-2019 07:28 AM

Hi,

I have three interfaces: Inside, DMZ, Outside.

Inside has a wireless router (using 10.0.0.2) to connect to ASA (10.0.0.1) -using vlan 1.

DMZ (vlan12) is setup with 172.16.0.1/24 ~ I have 3 servers (.2 -.3 -and .101....the 101 is an ubuntu (12.04) server (fresh install static ip) setup on the DMZ, and when I ping out to 8.8.8.8 the return packets are being sent to my inside interface (the wireless router on vlan 1).

I have verified that the ASA interface that this Ubuntu machine is plugged in to is in the correct vlan. (0 is outside, 1-6 is DMZ, and 7 is inside).

I cannot figure out WHY the icmp returns are going to the inside interface instead of returning to the source from which its NAT'ed in the DMZ (just like the other servers properly do)...?

 

I have two other servers on the DMZ and they are pinging out/back fine. Those are windows servers.

I cannot figure out why this simple ping is being re-directed back to my inside wireless-routers

Labels:
0 Helpful
3 Replies 3

SANTHOSHKUMAR SARAVANAN
Level 4
Level 4

‎06-23-2014 08:19 PM

Hi ,

  Check on show arp on your ASA to understand on which interface ARP is being learnt  , Similarly check on gateway IP address defined on ubuntu machine  .

 

 

HTH

Sandy

0 Helpful

Robert Anderson
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎06-23-2014 08:45 PM

Sandy,
I have ASA with ip 172.16.0.1/24 on DMZ vlan...so Ubuntu IP config is as follows:

-------------- /etc/network/interfaces
auto eth0
iface eth0 inet static
        address 172.16.0.101
        netmask 255.255.255.0
        network 172.16.0.0
        broadcast 172.16.0.255
        gateway 172.16.0.1
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 8.8.8.8

 

-------------- Cisco arp is as follows:

sh arp
       inside 10.0.1.2 0014.c11d.dc33 18
       outside X.X.X.X nnnn.nnnn.nnnn 0  <public wan info intentionally omitted>
       DMZ 172.16.0.3 0024.81c0.0ff7 94
       DMZ 172.16.0.2 0016.e6d3.97fd 224
       DMZ 172.16.0.101 0013.20bd.1462 6145

-------------- Output monitoring:

6 Jun 23 2014 14:53:39 172.16.0.101 44807 8.8.8.8 53 Built outbound UDP connection 30895 for outside:8.8.8.8/53 (8.8.8.8/53) to DMZ:172.16.0.101/44807 (172.16.0.101/44807)

6 Jun 23 2014 14:53:50 8.8.8.8 53 10.0.1.2 3072 Teardown UDP connection 32268 for outside:8.8.8.8/53 to inside:10.0.1.2/3072 duration 0:00:00 bytes 190

--------------ALL OTHER DMZ servers ping out fine.

0 Helpful

SANTHOSHKUMAR SARAVANAN
Level 4
Level 4
In response to Robert Anderson

‎06-23-2014 09:01 PM

Hi ,

 Check your NAT settings for this host . 

 

HTH

Sandy 

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card