Hello, over the last couple of days I have been setting up a test network that I am going to use for penetration testing but have gotten stuck completing the final connection. http://s17.postimg.org/dy3vl9ajz/network.jpg I have full connectivity between all areas of the network except the Workstation (10.3.1.50) cannot ping to any of the internal servers (Domain Controller, Syslog, SQL, etc). However, when issuing pings from the internal servers to the Workstation, all of them succeed. Successful ping from Domain Controller (10.3.2.4) to Workstation (10.3.1.50) http://s30.postimg.org/u5p5077xd/dcping.jpg Failed ping from Workstation (10.3.1.50) to Domain Controller (10.3.2.4) http://s12.postimg.org/5vs7hddal/pingfail.jpg ASA1 Configuration ASA Version 8.4(2) ! hostname ASA enable password ! interface GigabitEthernet0 nameif workstations security-level 100 ip address 10.3.1.2 255.255.255.0 ! interface GigabitEthernet1 nameif outside security-level 100 ip address 172.1.0.3 255.255.255.0 ! interface GigabitEthernet2 nameif DMZ security-level 100 ip address 10.4.2.3 255.255.255.0 ! interface GigabitEthernet3 nameif inside security-level 100 ip address 172.17.0.3 255.255.255.0 ! interface GigabitEthernet4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet5 shutdown no nameif no security-level no ip address ! ftp mode passive same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network dmz-net subnet 10.4.2.0 255.255.255.0 object network workstations subnet 10.3.1.0 255.255.255.0 object network internal-out subnet 172.17.0.0 255.255.255.0 access-list outside_access_in extended permit ip any any pager lines 24 mtu workstations 1500 mtu outside 1500 mtu DMZ 1500 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 ! object network dmz-net nat (DMZ,outside) dynamic interface object network workstations nat (workstations,outside) dynamic interface object network internal-out nat (inside,outside) dynamic interface access-group outside_access_in global route outside 0.0.0.0 0.0.0.0 172.1.0.2 1 route outside 10.3.2.0 255.255.255.0 172.17.0.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart telnet timeout 5 ssh timeout 10 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ! prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily crashinfo save disable SW1 Configuration version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname VLAN_SW1 ! boot-start-marker boot-end-marker ! no aaa new-model memory-size iomem 5 no ip routing no ip icmp rate-limit unreachable no ip cef ! no ip domain lookup ! multilink bundle-name authenticated ! vtp mode transparent archive log config hidekeys ! vlan 3,6,99 ! ip tcp synwait-time 5 ip ssh version 1 ! interface FastEthernet0/0 no ip address no ip route-cache shutdown duplex auto speed auto ! interface FastEthernet0/1 no ip address no ip route-cache shutdown duplex auto speed auto ! interface FastEthernet1/0 ! interface FastEthernet1/1 ! interface FastEthernet1/2 ! interface FastEthernet1/3 switchport mode trunk speed 100 ! interface FastEthernet1/4 ! interface FastEthernet1/5 ! interface FastEthernet1/6 ! interface FastEthernet1/7 ! interface FastEthernet1/8 ! interface FastEthernet1/9 ! interface FastEthernet1/10 ! interface FastEthernet1/11 ! interface FastEthernet1/12 ! interface FastEthernet1/13 ! interface FastEthernet1/14 switchport mode trunk speed 100 ! interface FastEthernet1/15 switchport mode trunk speed 100 ! interface Vlan1 no ip address no ip route-cache ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 172.17.0.3 ! no ip http server no ip http secure-server ! no cdp log mismatch duplex ! control-plane ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login ! end ASA2 Configuration ASA Version 8.4(2) ! hostname ASA2 ! interface GigabitEthernet0 no nameif no security-level no ip address ! interface GigabitEthernet0.1 vlan 6 nameif vlan6 security-level 100 ip address 10.3.2.2 255.255.255.0 ! interface GigabitEthernet0.2 vlan 4 nameif vlan4 security-level 100 ip address 10.4.1.2 255.255.255.0 ! interface GigabitEthernet0.3 vlan 99 nameif vlan99 security-level 100 ip address 10.99.1.2 255.255.255.0 ! interface GigabitEthernet1 nameif outside security-level 100 ip address 172.17.0.2 255.255.255.0 ! interface GigabitEthernet2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet5 shutdown no nameif no security-level no ip address ! ftp mode passive same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network core-servers subnet 10.3.2.0 255.255.255.0 object network dist-servers subnet 10.4.1.0 255.255.255.0 object network management subnet 10.99.1.0 255.255.255.0 object network workstations subnet 10.3.1.0 255.255.255.0 access-list outside_access_in extended permit ip any any pager lines 24 mtu vlan6 1500 mtu vlan4 1500 mtu vlan99 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 ! object network core-servers nat (vlan6,outside) dynamic interface object network dist-servers nat (vlan4,outside) dynamic interface object network management nat (vlan99,outside) dynamic interface access-group outside_access_in global route outside 0.0.0.0 0.0.0.0 172.17.0.3 1 route outside 10.3.1.0 255.255.255.0 172.17.0.3 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 10.99.1.0 255.255.255.0 vlan99 no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart telnet timeout 5 ssh 10.99.1.0 255.255.255.0 vlan99 ssh timeout 10 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn ! prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily crashinfo save disable Cryptochecksum:9eae54d930f4597bb9335da9ef7e98cc : end SW_INT Configuration version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname SW_INT ! boot-start-marker boot-end-marker ! no aaa new-model memory-size iomem 5 no ip routing no ip icmp rate-limit unreachable no ip cef ! no ip domain lookup ! multilink bundle-name authenticated ! vtp mode transparent archive log config hidekeys ! vlan 3-4,6,99 ! ip tcp synwait-time 5 ip ssh version 1 ! interface FastEthernet0/0 no ip address no ip route-cache shutdown duplex auto speed auto ! interface FastEthernet0/1 no ip address no ip route-cache shutdown duplex auto speed auto ! interface FastEthernet1/0 ! interface FastEthernet1/1 ! interface FastEthernet1/2 ! interface FastEthernet1/3 switchport access vlan 6 duplex full speed 100 ! interface FastEthernet1/4 switchport access vlan 4 duplex full speed 100 ! interface FastEthernet1/5 ! interface FastEthernet1/6 ! interface FastEthernet1/7 ! interface FastEthernet1/8 ! interface FastEthernet1/9 switchport access vlan 99 duplex full speed 100 ! interface FastEthernet1/10 ! interface FastEthernet1/11 ! interface FastEthernet1/12 ! interface FastEthernet1/13 ! interface FastEthernet1/14 ! interface FastEthernet1/15 switchport mode trunk ! interface Vlan1 no ip address no ip route-cache ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ! no cdp log mismatch duplex ! control-plane ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login ! end