ASA5520 Cannot ping from inside to dmz
I am pinging from 2 different desktop computers (10.0.110.10 and 10.0.10.200) both on the inside lan to the DMZ interface 10.100.21.253 . Both computers cannot ping. Sample output from ASA logs:
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302021: Teardown ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302020: Built outbound ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302021: Teardown ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302020: Built outbound ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
ASA Version 8.0(5)
!
hostname FBNECOLO5520-01
names
!
interface GigabitEthernet0/0
description Internet interface
nameif outside
security-level 0
ip address 100.1.1.1 255.255.255.0
ospf database-filter all out
!
interface GigabitEthernet0/1
description Redundant physical interface bound to logical interface "redundant 1"
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
description Redundant physical interface bound to logical interface "redundant 1"
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description SBNECOLO4506-01 gi2/24
nameif inside
security-level 100
ip address 10.100.15.249 255.255.255.0
ospf retransmit-interval 2
ospf hello-interval 1
ospf dead-interval 15
ospf message-digest-key 1 md5 <removed>
ospf authentication message-digest
!
interface Management0/0
no nameif
no security-level
no ip address
!
interface Redundant1
member-interface GigabitEthernet0/1
member-interface GigabitEthernet0/2
nameif web-dmz
security-level 50
ip address 10.100.21.253 255.255.255.0
!
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list web-dmz_access_in extended permit ip 10.100.21.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list web-dmz_access_in extended permit ip 10.100.21.0 255.255.255.0 10.0.110.0 255.255.255.0
access-list web-dmz_access_in extended permit ip 10.100.21.0 255.255.255.0 10.100.15.0 255.255.255.0
!
ip verify reverse-path interface web-dmz
ip audit attack action alarm drop
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp permit any outside
icmp permit any inside
icmp permit any web-dmz
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,web-dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group web-dmz_access_in in interface web-dmz
!
router ospf 10
router-id 10.100.15.249
network 10.100.15.249 255.255.255.255 area 0
network 10.100.21.0 255.255.255.0 area 0
area 0 authentication message-digest
timers spf 10 500
log-adj-changes detail
redistribute connected subnets
!
route outside 0.0.0.0 0.0.0.0 100.1.1.2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
: end
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302021: Teardown ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302020: Built outbound ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302021: Teardown ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302020: Built outbound ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
ASA Version 8.0(5)
!
hostname FBNECOLO5520-01
names
!
interface GigabitEthernet0/0
description Internet interface
nameif outside
security-level 0
ip address 100.1.1.1 255.255.255.0
ospf database-filter all out
!
interface GigabitEthernet0/1
description Redundant physical interface bound to logical interface "redundant 1"
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
description Redundant physical interface bound to logical interface "redundant 1"
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description SBNECOLO4506-01 gi2/24
nameif inside
security-level 100
ip address 10.100.15.249 255.255.255.0
ospf retransmit-interval 2
ospf hello-interval 1
ospf dead-interval 15
ospf message-digest-key 1 md5 <removed>
ospf authentication message-digest
!
interface Management0/0
no nameif
no security-level
no ip address
!
interface Redundant1
member-interface GigabitEthernet0/1
member-interface GigabitEthernet0/2
nameif web-dmz
security-level 50
ip address 10.100.21.253 255.255.255.0
!
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list web-dmz_access_in extended permit ip 10.100.21.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list web-dmz_access_in extended permit ip 10.100.21.0 255.255.255.0 10.0.110.0 255.255.255.0
access-list web-dmz_access_in extended permit ip 10.100.21.0 255.255.255.0 10.100.15.0 255.255.255.0
!
ip verify reverse-path interface web-dmz
ip audit attack action alarm drop
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp permit any outside
icmp permit any inside
icmp permit any web-dmz
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,web-dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group web-dmz_access_in in interface web-dmz
!
router ospf 10
router-id 10.100.15.249
network 10.100.15.249 255.255.255.255 area 0
network 10.100.21.0 255.255.255.0 area 0
area 0 authentication message-digest
timers spf 10 500
log-adj-changes detail
redistribute connected subnets
!
route outside 0.0.0.0 0.0.0.0 100.1.1.2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
: end
Ernie Beek
and if you add: access-list web-dmz_access_in extended permit icmp any any ?
ASKER
I thought "ip" covered icmp? Anyway I have now added it but no luck. As you can see I can ping the inside interface but not the dmz interface:
C:\WINDOWS>ping 10.100.15.249
Pinging 10.100.15.249 with 32 bytes of data:
Reply from 10.100.15.249: bytes=32 time<1ms TTL=253
Reply from 10.100.15.249: bytes=32 time<1ms TTL=253
Reply from 10.100.15.249: bytes=32 time<1ms TTL=253
Reply from 10.100.15.249: bytes=32 time<1ms TTL=253
Ping statistics for 10.100.15.249:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\WINDOWS>ping 10.100.21.253
Pinging 10.100.21.253 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.100.21.253:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\WINDOWS>ping 10.100.15.249
Pinging 10.100.15.249 with 32 bytes of data:
Reply from 10.100.15.249: bytes=32 time<1ms TTL=253
Reply from 10.100.15.249: bytes=32 time<1ms TTL=253
Reply from 10.100.15.249: bytes=32 time<1ms TTL=253
Reply from 10.100.15.249: bytes=32 time<1ms TTL=253
Ping statistics for 10.100.15.249:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\WINDOWS>ping 10.100.21.253
Pinging 10.100.21.253 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.100.21.253:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
ASKER
Just incase someone ask me is the routing ok for this subnet on my lan. The below output is from the ASA and it clearly shows the subnets in question:
FBNECOLO5520-01(config)# sh ospf database
OSPF Router with ID (10.100.15.249) (Process ID 10)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
10.100.15.249 10.100.15.249 1607 0x80000051 0x 554 2
192.168.255.25 192.168.255.25 1556 0x800003ca 0x69cf 4
192.168.255.26 192.168.255.26 1136 0x8000036d 0x9194 2
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
10.100.15.252 192.168.255.25 1556 0x80000008 0x48f3
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
10.0.2.0 192.168.255.26 1136 0x8000034e 0x 3bd 0
10.0.3.0 192.168.255.26 1136 0x80000279 0xa4f0 0
10.0.4.0 192.168.255.26 1136 0x80000279 0x99fa 0
10.0.5.0 192.168.255.26 1136 0x80000279 0x8e05 0
10.0.6.0 192.168.255.26 1136 0x80000279 0x830f 0
10.0.7.0 192.168.255.26 1136 0x80000279 0x7819 0
10.0.8.0 192.168.255.26 1136 0x8000034a 0xc8f5 0
10.0.10.0 192.168.255.26 1136 0x8000034f 0xa80f 0
10.0.12.0 192.168.255.26 1136 0x8000034f 0x9223 0
10.0.13.0 192.168.255.26 1136 0x8000034f 0x872d 0
10.0.14.0 192.168.255.26 1136 0x8000034c 0x8234 0
10.0.15.0 192.168.255.26 1136 0x8000034a 0x7b3c 0
10.0.16.0 192.168.255.26 1136 0x8000034a 0x7046 0
10.0.17.0 192.168.255.26 1136 0x8000034f 0x5b55 0
10.0.40.0 192.168.255.26 1136 0x80000349 0x96b7 0
10.0.41.0 192.168.255.26 1136 0x80000349 0x8bc1 0
10.0.42.0 192.168.255.26 1136 0x80000349 0x80cb 0
10.0.43.0 192.168.255.26 1136 0x80000349 0x75d5 0
10.0.44.0 192.168.255.26 1136 0x80000349 0x6adf 0
10.0.100.0 192.168.255.26 1136 0x80000279 0x75be 0
10.0.101.0 192.168.255.26 1136 0x8000034a 0xc59b 0
10.0.102.0 192.168.255.26 1136 0x8000034d 0xb4a8 0
10.0.103.0 192.168.255.26 1136 0x8000034f 0xa5b4 0
10.0.104.0 192.168.255.26 1136 0x8000034f 0x9abe 0
10.0.105.0 192.168.255.26 1136 0x8000034f 0x8fc8 0
10.0.106.0 192.168.255.26 1136 0x8000034e 0x86d1 0
10.0.107.0 192.168.255.26 1136 0x8000034b 0x81d8 0
10.0.108.0 192.168.255.26 1136 0x8000034a 0x78e1 0
10.0.109.0 192.168.255.26 1136 0x8000034a 0x6deb 0
10.0.110.0 192.168.255.26 1136 0x8000034f 0x58fa 0
10.0.120.0 192.168.255.26 1136 0x80000279 0x9887 0
---- cut ----
Thks for looking :)
FBNECOLO5520-01(config)# sh ospf database
OSPF Router with ID (10.100.15.249) (Process ID 10)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
10.100.15.249 10.100.15.249 1607 0x80000051 0x 554 2
192.168.255.25 192.168.255.25 1556 0x800003ca 0x69cf 4
192.168.255.26 192.168.255.26 1136 0x8000036d 0x9194 2
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
10.100.15.252 192.168.255.25 1556 0x80000008 0x48f3
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
10.0.2.0 192.168.255.26 1136 0x8000034e 0x 3bd 0
10.0.3.0 192.168.255.26 1136 0x80000279 0xa4f0 0
10.0.4.0 192.168.255.26 1136 0x80000279 0x99fa 0
10.0.5.0 192.168.255.26 1136 0x80000279 0x8e05 0
10.0.6.0 192.168.255.26 1136 0x80000279 0x830f 0
10.0.7.0 192.168.255.26 1136 0x80000279 0x7819 0
10.0.8.0 192.168.255.26 1136 0x8000034a 0xc8f5 0
10.0.10.0 192.168.255.26 1136 0x8000034f 0xa80f 0
10.0.12.0 192.168.255.26 1136 0x8000034f 0x9223 0
10.0.13.0 192.168.255.26 1136 0x8000034f 0x872d 0
10.0.14.0 192.168.255.26 1136 0x8000034c 0x8234 0
10.0.15.0 192.168.255.26 1136 0x8000034a 0x7b3c 0
10.0.16.0 192.168.255.26 1136 0x8000034a 0x7046 0
10.0.17.0 192.168.255.26 1136 0x8000034f 0x5b55 0
10.0.40.0 192.168.255.26 1136 0x80000349 0x96b7 0
10.0.41.0 192.168.255.26 1136 0x80000349 0x8bc1 0
10.0.42.0 192.168.255.26 1136 0x80000349 0x80cb 0
10.0.43.0 192.168.255.26 1136 0x80000349 0x75d5 0
10.0.44.0 192.168.255.26 1136 0x80000349 0x6adf 0
10.0.100.0 192.168.255.26 1136 0x80000279 0x75be 0
10.0.101.0 192.168.255.26 1136 0x8000034a 0xc59b 0
10.0.102.0 192.168.255.26 1136 0x8000034d 0xb4a8 0
10.0.103.0 192.168.255.26 1136 0x8000034f 0xa5b4 0
10.0.104.0 192.168.255.26 1136 0x8000034f 0x9abe 0
10.0.105.0 192.168.255.26 1136 0x8000034f 0x8fc8 0
10.0.106.0 192.168.255.26 1136 0x8000034e 0x86d1 0
10.0.107.0 192.168.255.26 1136 0x8000034b 0x81d8 0
10.0.108.0 192.168.255.26 1136 0x8000034a 0x78e1 0
10.0.109.0 192.168.255.26 1136 0x8000034a 0x6deb 0
10.0.110.0 192.168.255.26 1136 0x8000034f 0x58fa 0
10.0.120.0 192.168.255.26 1136 0x80000279 0x9887 0
---- cut ----
Thks for looking :)
Well I noticed that sometimes it might help, but not in this case.
I saw something else in your config:
static (inside,web-dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
You might want to change that:
static (inside,web-dmz) 10.100.15.0 10.100.15.0 netmask 255.255.255.0
I saw something else in your config:
static (inside,web-dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
You might want to change that:
static (inside,web-dmz) 10.100.15.0 10.100.15.0 netmask 255.255.255.0
ASKER
My head gets a bit fried with these nats. My lan has 3 subnets:
10.0.10.0/24
10.0.110.0/24
10.100.15.0/24
Should the inside address in your above example cover all 3 subnets? Remember I am pinging from the computers 10.0.10.200 and 10.0.110.10. My 10.100.15.0 subnet is only a management subnet for all my cisco kit.
cheers,
paul
10.0.10.0/24
10.0.110.0/24
10.100.15.0/24
Should the inside address in your above example cover all 3 subnets? Remember I am pinging from the computers 10.0.10.200 and 10.0.110.10. My 10.100.15.0 subnet is only a management subnet for all my cisco kit.
cheers,
paul
ASKER
A bit more info. This is a ping from the ASA to my PC. As expected the web-dmz source failed:
Standard Ping:
FBNECOLO5520-01(config)# ping 10.0.110.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.110.10, timeout is 2 seconds:
!!!!!
Extended Ping:
FBNECOLO5520-01(config)# ping
Interface: web-dmz
Target IP address: 10.0.110.10
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.110.10, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
Standard Ping:
FBNECOLO5520-01(config)# ping 10.0.110.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.110.10, timeout is 2 seconds:
!!!!!
Extended Ping:
FBNECOLO5520-01(config)# ping
Interface: web-dmz
Target IP address: 10.0.110.10
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.110.10, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASKER
Hey erniebeek, I tried your suggestion and now there seems to be a portmap translation error thrown into the mix. Cheers for giving it a go, anything else we can try?
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-3-305006: portmap translation creation failed for icmp src inside:10.0.110.10 dst web-dmz:10.100.21.1 (type 8, code 0)
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-3-305006: portmap translation creation failed for icmp src inside:10.0.110.10 dst web-dmz:10.100.21.1 (type 8, code 0)
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
That's correct, you tried to ping from an address for which we haven't created one yet :)
So try adding:
static (inside,web-dmz) 10.0.10.0 10.0.10.0 netmask 255.255.255.0
static (inside,web-dmz) 10.0.110.0 10.0.110.0 netmask 255.255.255.0
as well
So try adding:
static (inside,web-dmz) 10.0.10.0 10.0.10.0 netmask 255.255.255.0
static (inside,web-dmz) 10.0.110.0 10.0.110.0 netmask 255.255.255.0
as well
ASKER
Hi erniebeek, it doesn't seem to have made any difference :(
My nats are configured as:
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,web-dmz) 10.100.15.0 10.100.15.0 netmask 255.255.255.0
static (inside,web-dmz) 10.0.110.0 10.0.110.0 netmask 255.255.255.0
My nats are configured as:
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,web-dmz) 10.100.15.0 10.100.15.0 netmask 255.255.255.0
static (inside,web-dmz) 10.0.110.0 10.0.110.0 netmask 255.255.255.0
Still missing the
static (inside,web-dmz) 10.0.10.0 10.0.10.0 netmask 255.255.255.0
Then the translations should be ok. Otherwise let me know what shows up in the logs then.
static (inside,web-dmz) 10.0.10.0 10.0.10.0 netmask 255.255.255.0
Then the translations should be ok. Otherwise let me know what shows up in the logs then.
ASKER
Here's something interesting. If I plug a laptop into the DMZ I can ping my PC 10.0.110.10.
I give the laptop the following TCP settings:
IP - 10.100.21.1
Mask - 255.255.255.0
Gate - 10.100.21.253
Good one way but not the other - arrrrrgh!
I give the laptop the following TCP settings:
IP - 10.100.21.1
Mask - 255.255.255.0
Gate - 10.100.21.253
Good one way but not the other - arrrrrgh!
ASKER
Hi erniebeek,
Yep your right but I am now limiting my testing to the one subnet of 10.0.110.0/24. None the less I have also added the other internal subnet as you pointed out:
static (inside,web-dmz) 10.100.15.0 10.100.15.0 netmask 255.255.255.0
static (inside,web-dmz) 10.0.110.0 10.0.110.0 netmask 255.255.255.0
static (inside,web-dmz) 10.0.10.0 10.0.10.0 netmask 255.255.255.0
Logs are still as they were at the beginning of this post.
Yep your right but I am now limiting my testing to the one subnet of 10.0.110.0/24. None the less I have also added the other internal subnet as you pointed out:
static (inside,web-dmz) 10.100.15.0 10.100.15.0 netmask 255.255.255.0
static (inside,web-dmz) 10.0.110.0 10.0.110.0 netmask 255.255.255.0
static (inside,web-dmz) 10.0.10.0 10.0.10.0 netmask 255.255.255.0
Logs are still as they were at the beginning of this post.
Just thinking hard here.
You cannot ping the DMZ interface...... but can you ping anything in the DMZ?
You pinged your station from a laptop in the DMZ, can you ping the laptop from your station?
You cannot ping the DMZ interface...... but can you ping anything in the DMZ?
You pinged your station from a laptop in the DMZ, can you ping the laptop from your station?
ASKER
No I tried that. I cannot ping the laptop from my PC.
PC can ping the inside interface (obviously because I am telneted into the ASA) but cannot ping the DMZ interface or anything behind the DMZ.
PC can ping the inside interface (obviously because I am telneted into the ASA) but cannot ping the DMZ interface or anything behind the DMZ.
ASKER
Here is a quick diagram of my topology, hope it helps.
Topology.gif
Topology.gif
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi erniebeek,
All your assumptions are correct.
Pinging from the core router (cisco 4506) is same as from my PC - nothin!
All your assumptions are correct.
Pinging from the core router (cisco 4506) is same as from my PC - nothin!
Been looking at the logs and see something funny. Do you know what the 10.100.21.1is?
ASKER
Yup, it's my laptop in the DMZ remember :)
IP - 10.100.21.1
Mask - 255.255.255.0
Gate - 10.100.21.253
IP - 10.100.21.1
Mask - 255.255.255.0
Gate - 10.100.21.253
ASKER
More info, nothing wrong just an observation:
The attached image is a snap of the ASDM logs (as opposed to the ASA logs) and here you can see the laptop trying to do DNS lookup to 139.130.4.4 and 10.0.2.1.
The pass to 139.130.4.4 failed because no access-list permitting and the pass to 10.0.2.1 failed because we have not put a nat in for this subnet (yes it's another subnet on the trusted but irrelevant to our problems here)
ASDM-log.gif
The attached image is a snap of the ASDM logs (as opposed to the ASA logs) and here you can see the laptop trying to do DNS lookup to 139.130.4.4 and 10.0.2.1.
The pass to 139.130.4.4 failed because no access-list permitting and the pass to 10.0.2.1 failed because we have not put a nat in for this subnet (yes it's another subnet on the trusted but irrelevant to our problems here)
ASDM-log.gif
ASKER
I think we got it !!!
The laptop had it's firewall turned on (damn SOE). I have since turned it off and I can now ping it from the trusted network.
I still would have been chasing my tail though because I did not know about the "closest interface" rule ie: the one facing you. First I've heard about that. This would explain why my pings are still not responding to the DMZ interface of 10.100.21.253.
Is that correct erniebeek?
The laptop had it's firewall turned on (damn SOE). I have since turned it off and I can now ping it from the trusted network.
I still would have been chasing my tail though because I did not know about the "closest interface" rule ie: the one facing you. First I've heard about that. This would explain why my pings are still not responding to the DMZ interface of 10.100.21.253.
Is that correct erniebeek?
That correct, the only exception is when you connect through a vpn and issue ' management-access' on it.
Glad you figured it out (and thanks to MS :-( ).
Glad you figured it out (and thanks to MS :-( ).
Pleasure working with you :)
Just one question, did you intend to close the question the way you did?
Though I'm doing this for fun and to steepen my learning curve, points are always nice to have ;)
Just one question, did you intend to close the question the way you did?
Though I'm doing this for fun and to steepen my learning curve, points are always nice to have ;)
ASKER
Likewise I really appreciated your help. This was my 1st time on ExpertsExchange (1 month trial), how do I allocate points to you? Please advise and I would be more than happy to comply with ANY requirement.
Just ask a moderator.
I'll hit the object button and someone will have a look and help us out.
First time eh? Hope to see you back again :)
I'll hit the object button and someone will have a look and help us out.
First time eh? Hope to see you back again :)
ASKER
Hi alias99,
I did not see the option "Accept and Award Points" only "Accept Solution". I would like to award erniebeek 500 points for his trouble. Without his comment: "you can only ping the ASA interface that is facing you" + other troubleshooting I may never have solved the issue.
Can you please assist by awarding these points from my account to erniebeek?
Kind Regards,
Paul
I did not see the option "Accept and Award Points" only "Accept Solution". I would like to award erniebeek 500 points for his trouble. Without his comment: "you can only ping the ASA interface that is facing you" + other troubleshooting I may never have solved the issue.
Can you please assist by awarding these points from my account to erniebeek?
Kind Regards,
Paul
One way or another we always are able to get things right (with a bit of help from the mods :)
Thx for the points.
Thx for the points.