cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
345
Views
0
Helpful
3
Replies

ICMP returns going to inside instead of returning to DMZ source

Robert Anderson
Level 1
Level 1

Hi,

I have three interfaces: Inside, DMZ, Outside.

Inside has a wireless router (using 10.0.0.2) to connect to ASA (10.0.0.1) -using vlan 1.

DMZ (vlan12) is setup with 172.16.0.1/24 ~ I have 3 servers (.2 -.3 -and .101....the 101 is an ubuntu (12.04) server (fresh install static ip) setup on the DMZ, and when I ping out to 8.8.8.8 the return packets are being sent to my inside interface (the wireless router on vlan 1).

I have verified that the ASA interface that this Ubuntu machine is plugged in to is in the correct vlan. (0 is outside, 1-6 is DMZ, and 7 is inside).

I cannot figure out WHY the icmp returns are going to the inside interface instead of returning to the source from which its NAT'ed in the DMZ (just like the other servers properly do)...?

 

I have two other servers on the DMZ and they are pinging out/back fine. Those are windows servers.

I cannot figure out why this simple ping is being re-directed back to my inside wireless-routers

3 Replies 3

Hi ,

  Check on show arp on your ASA to understand on which interface ARP is being learnt  , Similarly check on gateway IP address defined on ubuntu machine  .

 

 

HTH

Sandy

Sandy,
I have ASA with ip 172.16.0.1/24 on DMZ vlan...so Ubuntu IP config is as follows:

-------------- /etc/network/interfaces
auto eth0
iface eth0 inet static
        address 172.16.0.101
        netmask 255.255.255.0
        network 172.16.0.0
        broadcast 172.16.0.255
        gateway 172.16.0.1
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 8.8.8.8

 

-------------- Cisco arp is as follows:

sh arp
       inside 10.0.1.2 0014.c11d.dc33 18
       outside X.X.X.X nnnn.nnnn.nnnn 0  <public wan info intentionally omitted>
       DMZ 172.16.0.3 0024.81c0.0ff7 94
       DMZ 172.16.0.2 0016.e6d3.97fd 224
       DMZ 172.16.0.101 0013.20bd.1462 6145

-------------- Output monitoring:

6 Jun 23 2014 14:53:39 172.16.0.101 44807 8.8.8.8 53 Built outbound UDP connection 30895 for outside:8.8.8.8/53 (8.8.8.8/53) to DMZ:172.16.0.101/44807 (172.16.0.101/44807)

6 Jun 23 2014 14:53:50 8.8.8.8 53 10.0.1.2 3072 Teardown UDP connection 32268 for outside:8.8.8.8/53 to inside:10.0.1.2/3072 duration 0:00:00 bytes 190

--------------ALL OTHER DMZ servers ping out fine.

Hi ,

 Check your NAT settings for this host . 

 

HTH

Sandy 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco