cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
412
Views
0
Helpful
1
Replies

Cannot ping DMZ from outside when static,access-l are defined for DMZ insid

mukumucisco
Level 1
Level 1

I want to ping from a host on the outside to a host on the DMZ and at the same time be able to ping from the DMZ to the inside. I can only ping from DMZ to inside after creating the following static and access-list commands

static (DMZ,outside) 10.1.1.3 10.1.2.2 netmask 255.255.255.255

static (inside,DMZ) 10.1.2.4 10.1.3.2 netmask 255.255.255.255

access-list 101-out permit icmp any host 10.1.1.3

access-list 101-dmz permit icmp any host 10.1.2.4

access-group 101-out in interface outside

access-group 101-dmz in interface DMZ

If I remove the static (inside,DMZ) and access-list 101-dmz commands then I can ping from the outside to the DMZ but not from DMZ to inside.

What should I do to allow pinging from outside to a host on DMZ and from DMZ to any host on the inside?

I have nat (outside) 1 0 0 and nat (DMZ) 1 0 0 with global addresses for both the DMZ and outside. Do I need a nat (inside)?

1 Reply 1

mvoight
Level 1
Level 1

In order to go from a more secure interface to a least secure interface, like inside to dmz, you need either a n address translation with either a static or nat/global, or if you don't want to translate, you need to include the client in NAT 0. For more information on NAT, check out http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml