Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7345
Views
0
Helpful
6
Replies

Can't ping DMZ interface

Go to solution
Scott Pazelt
Level 1
Level 1

‎02-15-2011 10:15 AM - edited ‎03-04-2019 11:26 AM

This is a little breakdown of our network.

Inside network points to an IP on a layer 3 switch (10.150.55.1/24) for a default gateway.

DMZ network points to an IP on an ASA (172.16.1.1/24) for their default gateway.

Layer 3 switch has the ASA (10.150.1.254) for it's DG.

From the inside network, we can ping things in the DMZ, but can't ping the actual DMZ interface.

From the DMZ network, we can ping the DMZ interface.

Can anyone explain to me why I wouldn't be able to ping the DMZ interface from the inside?

Thanks,

Scott

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Phillip Remaker
Cisco Employee
Cisco Employee
In response to Scott Pazelt

‎02-18-2011 10:00 AM

It is the expected behavior.  Since the DMZ is a lower security than the inside network, return traffic originating frm that interface will be blocked by default unless an access list is in place.

I'm not sure about the details without seeing your configuration, but you probably need to explicitly allow ICMP from the control plane DMZ to the inside.  I don't recall exactly how, but the key is to remember that transit traffic and terminating traffic are subjected to different rules.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Phillip Remaker
Cisco Employee
Cisco Employee

‎02-18-2011 12:44 AM

Look at the "management-access" command.  Traffic terminating on the ASA is subjected to different rules than transit traffic.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.html#wp1794331

0 Helpful

Go to solution
Scott Pazelt
Level 1
Level 1
In response to Phillip Remaker

‎02-18-2011 08:18 AM

Thanks for the response.

The management access interface is set to inside.

I just can't figure out why I can ping the 172.16.1.1 interface from a server on that network, but I can't from a server on 10.150.1.0 network. It appers that it's accepting pings.

Thanks.

0 Helpful

Go to solution
Phillip Remaker
Cisco Employee
Cisco Employee
In response to Scott Pazelt

‎02-18-2011 09:12 AM

Transit traffic and terminating traffic (also called control plan traffic) are treated differently.

See:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_nw.html

Access control rules for to-the-box management traffic (defined by such commands as http, ssh, or telnet) have higher precedence than an access list applied with the control-plane
 option. Therefore, such permitted management traffic will be allowed to
 come in even if explicitly denied by the to-the-box access list.

0 Helpful

Go to solution
Scott Pazelt
Level 1
Level 1
In response to Phillip Remaker

‎02-18-2011 09:31 AM

Interesting. So this is expected behavior?

Is there no way to make this interface pingable from a different subnet?

Thanks.

0 Helpful

Go to solution
Phillip Remaker
Cisco Employee
Cisco Employee
In response to Scott Pazelt

‎02-18-2011 10:00 AM

It is the expected behavior.  Since the DMZ is a lower security than the inside network, return traffic originating frm that interface will be blocked by default unless an access list is in place.

I'm not sure about the details without seeing your configuration, but you probably need to explicitly allow ICMP from the control plane DMZ to the inside.  I don't recall exactly how, but the key is to remember that transit traffic and terminating traffic are subjected to different rules.

0 Helpful

Go to solution
Scott Pazelt
Level 1
Level 1
In response to Phillip Remaker

‎02-18-2011 10:07 AM

Makes sense. Thanks a lot.

0 Helpful
Customers Also Viewed These Support Documents