troubleshooting Question

ASA5520 Cannot ping from inside to dmz

Avatar of pjmcdougall
pjmcdougallFlag for Australia asked on
Cisco
27 Comments1 Solution7851 ViewsLast Modified:
I am pinging from 2 different desktop computers (10.0.110.10 and 10.0.10.200) both on the inside lan to the DMZ interface 10.100.21.253 .  Both computers cannot ping. Sample output from ASA logs:

%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302021: Teardown ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302020: Built outbound ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302021: Teardown ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302020: Built outbound ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0

ASA Version 8.0(5)
!
hostname FBNECOLO5520-01
names
!
interface GigabitEthernet0/0
 description Internet interface
 nameif outside
 security-level 0
 ip address 100.1.1.1 255.255.255.0
 ospf database-filter all out
!
interface GigabitEthernet0/1
 description Redundant physical interface bound to logical interface "redundant 1"
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 description Redundant physical interface bound to logical interface "redundant 1"
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 description SBNECOLO4506-01 gi2/24
 nameif inside
 security-level 100
 ip address 10.100.15.249 255.255.255.0
 ospf retransmit-interval 2
 ospf hello-interval 1
 ospf dead-interval 15
 ospf message-digest-key 1 md5 <removed>
 ospf authentication message-digest
!
interface Management0/0
 no nameif
 no security-level
 no ip address
!
interface Redundant1
 member-interface GigabitEthernet0/1
 member-interface GigabitEthernet0/2
 nameif web-dmz
 security-level 50
 ip address 10.100.21.253 255.255.255.0
!
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list web-dmz_access_in extended permit ip 10.100.21.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list web-dmz_access_in extended permit ip 10.100.21.0 255.255.255.0 10.0.110.0 255.255.255.0
access-list web-dmz_access_in extended permit ip 10.100.21.0 255.255.255.0 10.100.15.0 255.255.255.0
!
ip verify reverse-path interface web-dmz
ip audit attack action alarm drop
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp permit any outside
icmp permit any inside
icmp permit any web-dmz
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,web-dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group web-dmz_access_in in interface web-dmz
!
router ospf 10
 router-id 10.100.15.249
 network 10.100.15.249 255.255.255.255 area 0
 network 10.100.21.0 255.255.255.0 area 0
 area 0 authentication message-digest
 timers spf 10 500
 log-adj-changes detail
 redistribute connected subnets
!
route outside 0.0.0.0  0.0.0.0  100.1.1.2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
: end
ASKER CERTIFIED SOLUTION
Ernie Beek
Senior infrastructure engineer
Join our community to see this answer!
Unlock 1 Answer and 27 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 27 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros