i cant ping to my DMZ zone from the local inside PC

Posted by Big Denzel on Server Fault See other posts from Server Fault or by Big Denzel
Published on 2011-03-29T13:23:21Z Indexed on 2012/03/29 23:32 UTC
Read the original article Hit count: 323

Filed under:
|
|

HI everybody.

Can anyone please help me on the following issue. I got a Cisco Asa 5520 configured at my network.

I cant ping to my DMZ interface from a local inside network PC. so the only way a ping the DMZ is right from the Cisco ASA firewall, there i can pint to all 3 interfaces, Inside, Outside and DMZ,,,,

But no PC from the Inside Network can access the DMZ.

Can please any one help?

I thank you all in advance

Bellow is my Cisco ASA 5520 Firewall show run;

ASA-FW# sh run
: Saved
:
ASA Version 7.0(8)
!
hostname ASA-FW
enable password      encrypted
passwd                encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 description "Link-To-GW-Router"
 nameif outside
 security-level 0
 ip address 41.223.156.109 255.255.255.248
!
interface GigabitEthernet0/1
 description "Link-To-Local-LAN"
 nameif inside
 security-level 100
 ip address 10.1.4.1 255.255.252.0
!
interface GigabitEthernet0/2
 description "Link-To-DMZ"
 nameif dmz
 security-level 50
 ip address 172.16.16.1 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 description "Local-Management-Interface"
 no nameif
 no security-level
 ip address 192.168.192.1 255.255.255.0
!
ftp mode passive
access-list OUT-TO-DMZ extended permit tcp any host 41.223.156.107 eq smtp
access-list OUT-TO-DMZ extended permit tcp any host 41.223.156.106 eq www
access-list OUT-TO-DMZ extended permit icmp any any log
access-list OUT-TO-DMZ extended deny ip any any
access-list inside extended permit tcp any any eq pop3
access-list inside extended permit tcp any any eq smtp
access-list inside extended permit tcp any any eq ssh
access-list inside extended permit tcp any any eq telnet
access-list inside extended permit tcp any any eq https
access-list inside extended permit udp any any eq domain
access-list inside extended permit tcp any any eq domain
access-list inside extended permit tcp any any eq www
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list dmz extended permit ip any any
access-list dmz extended permit icmp any any
access-list cap extended permit ip 10.1.4.0 255.255.252.0 172.16.16.0 255.255.25
5.0
access-list cap extended permit ip 172.16.16.0 255.255.255.0 10.1.4.0 255.255.25
2.0
no pager
logging enable
logging buffer-size 5000
logging monitor warnings
logging trap warnings
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp 41.223.156.106 www 172.16.16.80 www netmask 255.255.255
.255
static (dmz,outside) tcp 41.223.156.107 smtp 172.16.16.25 smtp netmask 255.255.2
55.255
static (inside,dmz) 10.1.0.0 10.1.16.0 netmask 255.255.252.0
access-group OUT-TO-DMZ in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 41.223.156.108 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.1.4.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
!
!
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:
: end
ASA-FW#

Please Help.

Big Denzel

© Server Fault or respective owner

Related posts about firewall

Related posts about cisco