DMZ cannot Browse internet or Ping Inside !!!

Posted on 2003-12-08
Last Modified: 2010-05-18
Hi, I have A pix 515UR with Version 6.20 and working on a simple setup.

Pix to DMZ

Inside Netowrk can Ping the DMZ on ip
Inside Network can Browse Internet.

DMZ cannot Ping Inside Servers/Network
DMZ cannot browse Internet UNTILL allow TCP any, and UDP domain Protocol. !!!

How do I enable Ping from DMZ to Inside Full Network.
Is it as such normal to allow tcp ports for allowing browsing of DMZ or something amiss. PLEASE ADVISE.

Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.1(1)

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname KA-PIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
name KAWAN
access-list outside_access_dmz permit icmp any any
access-list outside_access_dmz permit tcp host KAWAN any
access-list outside_access_dmz permit udp host KAWAN any eq domain
access-list outside_access_dmz deny ip any any
access-list outside_access_in permit tcp any host X.Y.Z.54 eq smtp
access-list outside_access_in permit tcp any host X.Y.Z.54 eq www
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host X.Y.Z.54 eq ftp
access-list outside_access_in permit tcp any host X.Y.Z.54 eq domain
access-list outside_access_in deny ip any any
pager lines 24
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside X.Y.Z.50
ip address inside
ip address intf2
ip address intf3
ip address intf4
ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside
failover ip address inside
failover ip address intf2
failover ip address intf3
failover ip address intf4
failover ip address intf5
pdm location inside
pdm location inside
pdm location KAWAN intf2
pdm history enable
arp timeout 14400
global (outside) 1 X.Y.Z.51-X.Y.Z.53 netmask
global (intf2) 1
nat (inside) 1 0 0
nat (intf2) 1 0 0
static (intf2,outside) X.Y.Z.54 KAWAN netmask 0 0
access-group outside_access_in in interface outside
access-group outside_access_dmz in interface intf2
route outside X.Y.Z.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http inside
http inside
http KAWAN intf2
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet inside
telnet timeout 5
Question by:ansour

Expert Comment

ID: 9901897
The purpose of the DMZ is to isolate private services from public ones. HTTP and such might be fine in the DMZ, but I'd suggest that you need a rule simlar to:

(for the ping - obviously I don't know the syntax for the rule)

allow icmp to lan from dmz

It would be better if you could just specify an IP range to and from, or a range of ports.

** Note, you cannot PING a private network from an outside subnet without using NAT/PAT. If the network you are pinging from is, you can't ping, unless you use nat or port forwarding. For NAT, if you had a public interface with, and you wanted to hit an internal web server at, then you could tell the firewall/router to forward packets on port 80 to

For the OUTBOUND TCP/UDP from the DMZ, it is usually OK to allow outbound traffic. It's best not to do this, because if your network was compromised, a system could be used in DDoS or other zombie-based attacks.

This might not be the exact info you were looking for- but maybe it will help.

LVL 18

Accepted Solution

chicagoan earned 50 total points
ID: 9902053
change snmp-server community public, please
if you're not using snmp
no snmp-server
or change the community

DMZ cannot Ping Inside Servers/Network
How do I enable Ping from DMZ to Inside Full Network.
create an access list for the host you want to ping and bind it
access-list from-dmz-coming-in permit icmp host DMZHOST host INTERNALNTPHOST eq icmp
access-group from-dmz-coming-in in interface dmz

>DMZ cannot browse Internet UNTILL allow TCP any, and UDP domain Protocol. !!!
>Is it as such normal to allow tcp ports for allowing browsing of DMZ or something amiss.
I don't see your "outbound X0 permit statments" - deny any is implied
tcp "any" might be overkill  - open the ports you need, including DNS

Author Comment

ID: 9941268
Hi Guys,
A study revealed once you apply an access-list to a dmz interface the implicit
outbound rule is void so in order for inside clients to go out the following two lines
are require as a minimum.

access-list outside_access_dmz permit tcp host KAWAN any eq 80
access-list outside_access_dmz permit udp host KAWAN any eq domain

  * Though in mycase it does not work untill I enable " tcp host KAWAN any any"

But If you remove the access-group statement from the DMZ the implicit outbound
rule will be in effect again from dmz to outside ( where in I get internet access without any problem :D ) but you will not be able to access the internal network.

Well thats for now , any way thank you for all your Inputs.

Let me accept the above answer of chicagoan.



Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Enterprise Password Manager Suites as well as Local Password managers are covered in this article.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question