ASA5520 Cannot ping from inside to dmz

I am pinging from 2 different desktop computers (10.0.110.10 and 10.0.10.200) both on the inside lan to the DMZ interface 10.100.21.253 .  Both computers cannot ping. Sample output from ASA logs:

%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302021: Teardown ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302020: Built outbound ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302021: Teardown ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302020: Built outbound ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0

ASA Version 8.0(5)
!
hostname FBNECOLO5520-01
names
!
interface GigabitEthernet0/0
 description Internet interface
 nameif outside
 security-level 0
 ip address 100.1.1.1 255.255.255.0
 ospf database-filter all out
!
interface GigabitEthernet0/1
 description Redundant physical interface bound to logical interface "redundant 1"
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 description Redundant physical interface bound to logical interface "redundant 1"
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 description SBNECOLO4506-01 gi2/24
 nameif inside
 security-level 100
 ip address 10.100.15.249 255.255.255.0
 ospf retransmit-interval 2
 ospf hello-interval 1
 ospf dead-interval 15
 ospf message-digest-key 1 md5 <removed>
 ospf authentication message-digest
!
interface Management0/0
 no nameif
 no security-level
 no ip address
!
interface Redundant1
 member-interface GigabitEthernet0/1
 member-interface GigabitEthernet0/2
 nameif web-dmz
 security-level 50
 ip address 10.100.21.253 255.255.255.0
!
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list web-dmz_access_in extended permit ip 10.100.21.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list web-dmz_access_in extended permit ip 10.100.21.0 255.255.255.0 10.0.110.0 255.255.255.0
access-list web-dmz_access_in extended permit ip 10.100.21.0 255.255.255.0 10.100.15.0 255.255.255.0
!
ip verify reverse-path interface web-dmz
ip audit attack action alarm drop
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp permit any outside
icmp permit any inside
icmp permit any web-dmz
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,web-dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group web-dmz_access_in in interface web-dmz
!
router ospf 10
 router-id 10.100.15.249
 network 10.100.15.249 255.255.255.255 area 0
 network 10.100.21.0 255.255.255.0 area 0
 area 0 authentication message-digest
 timers spf 10 500
 log-adj-changes detail
 redistribute connected subnets
!
route outside 0.0.0.0  0.0.0.0  100.1.1.2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
: end
pjmcdougallAsked:
Who is Participating?
 
Ernie BeekConnect With a Mentor ExpertCommented:
Weird.

I just remembered (I am SO stupid), you can only ping the ASA interface that is facing you....

That still doesn't account for the loss of ping in the DMZ.

Resuming:
-you can ping from the DMZ to the internal network.
-you cannot ping from the internal network to the DMZ
-when you ping from the inside, the only thing you (still) are seeing on the ASA is the built and teardown of the icmp.

Just saw your diagram. What happens if you ping from the router (10.100.15.252) to the DMZ (laptop)?
0
 
Ernie BeekExpertCommented:
and if you add: access-list web-dmz_access_in extended permit icmp any any ?
0
 
pjmcdougallAuthor Commented:
I thought "ip" covered icmp?  Anyway I have now added it but no luck.  As you can see I can ping the inside interface but not the dmz interface:


C:\WINDOWS>ping 10.100.15.249

Pinging 10.100.15.249 with 32 bytes of data:

Reply from 10.100.15.249: bytes=32 time<1ms TTL=253
Reply from 10.100.15.249: bytes=32 time<1ms TTL=253
Reply from 10.100.15.249: bytes=32 time<1ms TTL=253
Reply from 10.100.15.249: bytes=32 time<1ms TTL=253

Ping statistics for 10.100.15.249:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\WINDOWS>ping 10.100.21.253

Pinging 10.100.21.253 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.100.21.253:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

LEARN MORE
 
pjmcdougallAuthor Commented:
Just incase someone ask me is the routing ok for this subnet on my lan.  The below output is from the ASA and it clearly shows the subnets in question:

FBNECOLO5520-01(config)# sh ospf database

       OSPF Router with ID (10.100.15.249) (Process ID 10)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
10.100.15.249 10.100.15.249 1607            0x80000051 0x 554 2
192.168.255.25  192.168.255.25  1556        0x800003ca 0x69cf 4
192.168.255.26  192.168.255.26  1136        0x8000036d 0x9194 2

                Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
10.100.15.252   192.168.255.25  1556        0x80000008 0x48f3

                Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
10.0.2.0        192.168.255.26  1136        0x8000034e 0x 3bd 0
10.0.3.0        192.168.255.26  1136        0x80000279 0xa4f0 0
10.0.4.0        192.168.255.26  1136        0x80000279 0x99fa 0
10.0.5.0        192.168.255.26  1136        0x80000279 0x8e05 0
10.0.6.0        192.168.255.26  1136        0x80000279 0x830f 0
10.0.7.0        192.168.255.26  1136        0x80000279 0x7819 0
10.0.8.0        192.168.255.26  1136        0x8000034a 0xc8f5 0
10.0.10.0       192.168.255.26  1136        0x8000034f 0xa80f 0
10.0.12.0       192.168.255.26  1136        0x8000034f 0x9223 0
10.0.13.0       192.168.255.26  1136        0x8000034f 0x872d 0
10.0.14.0       192.168.255.26  1136        0x8000034c 0x8234 0
10.0.15.0       192.168.255.26  1136        0x8000034a 0x7b3c 0
10.0.16.0       192.168.255.26  1136        0x8000034a 0x7046 0
10.0.17.0       192.168.255.26  1136        0x8000034f 0x5b55 0
10.0.40.0       192.168.255.26  1136        0x80000349 0x96b7 0
10.0.41.0       192.168.255.26  1136        0x80000349 0x8bc1 0
10.0.42.0       192.168.255.26  1136        0x80000349 0x80cb 0
10.0.43.0       192.168.255.26  1136        0x80000349 0x75d5 0
10.0.44.0       192.168.255.26  1136        0x80000349 0x6adf 0
10.0.100.0      192.168.255.26  1136        0x80000279 0x75be 0
10.0.101.0      192.168.255.26  1136        0x8000034a 0xc59b 0
10.0.102.0      192.168.255.26  1136        0x8000034d 0xb4a8 0
10.0.103.0      192.168.255.26  1136        0x8000034f 0xa5b4 0
10.0.104.0      192.168.255.26  1136        0x8000034f 0x9abe 0
10.0.105.0      192.168.255.26  1136        0x8000034f 0x8fc8 0
10.0.106.0      192.168.255.26  1136        0x8000034e 0x86d1 0
10.0.107.0      192.168.255.26  1136        0x8000034b 0x81d8 0
10.0.108.0      192.168.255.26  1136        0x8000034a 0x78e1 0
10.0.109.0      192.168.255.26  1136        0x8000034a 0x6deb 0
10.0.110.0      192.168.255.26  1136        0x8000034f 0x58fa 0
10.0.120.0      192.168.255.26  1136        0x80000279 0x9887 0
---- cut ----

Thks for looking :)
0
 
Ernie BeekExpertCommented:
Well I noticed that sometimes it might help, but not in this case.

I saw something else in your config:
static (inside,web-dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

You might want to change that:
static (inside,web-dmz) 10.100.15.0 10.100.15.0 netmask 255.255.255.0
0
 
pjmcdougallAuthor Commented:
My head gets a bit fried with these nats.  My lan has 3 subnets:

10.0.10.0/24
10.0.110.0/24
10.100.15.0/24

Should the inside address in your above example cover all 3 subnets?  Remember I am pinging from the computers 10.0.10.200 and 10.0.110.10.   My 10.100.15.0 subnet is only a management subnet for all my cisco kit.

cheers,
paul
0
 
pjmcdougallAuthor Commented:
A bit more info.  This is a ping from the ASA to my PC.  As expected the web-dmz source failed:

Standard Ping:
FBNECOLO5520-01(config)# ping 10.0.110.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.110.10, timeout is 2 seconds:
!!!!!

Extended Ping:
FBNECOLO5520-01(config)# ping
Interface: web-dmz
Target IP address: 10.0.110.10
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.110.10, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
0
 
pjmcdougallAuthor Commented:
Hey erniebeek, I tried your suggestion and now there seems to be a portmap translation error thrown into the mix.  Cheers for giving it a go, anything else we can try?

%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-3-305006: portmap translation creation failed for icmp src inside:10.0.110.10 dst web-dmz:10.100.21.1 (type 8, code 0)
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
0
 
Ernie BeekExpertCommented:
That's correct, you tried to ping from an address for which we haven't created one yet :)

So try adding:
static (inside,web-dmz) 10.0.10.0 10.0.10.0 netmask 255.255.255.0
static (inside,web-dmz) 10.0.110.0 10.0.110.0 netmask 255.255.255.0

as well
0
 
pjmcdougallAuthor Commented:
Hi erniebeek, it doesn't seem to have made any difference :(

My nats are configured as:

global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,web-dmz) 10.100.15.0 10.100.15.0 netmask 255.255.255.0
static (inside,web-dmz) 10.0.110.0 10.0.110.0 netmask 255.255.255.0
0
 
Ernie BeekExpertCommented:
Still missing the
static (inside,web-dmz) 10.0.10.0 10.0.10.0 netmask 255.255.255.0

Then the translations should be ok. Otherwise let me know what shows up in the logs then.
0
 
pjmcdougallAuthor Commented:
Here's something interesting.  If I plug a laptop into the DMZ I can ping my PC 10.0.110.10.

I give the laptop the following TCP settings:

IP - 10.100.21.1
Mask - 255.255.255.0
Gate - 10.100.21.253

Good one way but not the other - arrrrrgh!
0
 
pjmcdougallAuthor Commented:
Hi erniebeek,

Yep your right but I am now limiting my testing to the one subnet of 10.0.110.0/24.  None the less I have also added the other internal subnet as you pointed out:

static (inside,web-dmz) 10.100.15.0 10.100.15.0 netmask 255.255.255.0
static (inside,web-dmz) 10.0.110.0 10.0.110.0 netmask 255.255.255.0
static (inside,web-dmz) 10.0.10.0 10.0.10.0 netmask 255.255.255.0

Logs are still as they were at the beginning of this post.
0
 
Ernie BeekExpertCommented:
Just thinking hard here.

You cannot ping the DMZ interface...... but can you ping anything in the DMZ?
You pinged your station from a laptop in the DMZ, can you ping the laptop from your station?
0
 
pjmcdougallAuthor Commented:
No I tried that.  I cannot ping the laptop from my PC.

PC can ping the inside interface (obviously because I am telneted into the ASA) but cannot ping the DMZ interface or anything behind the DMZ.

0
 
pjmcdougallAuthor Commented:
Here is a quick diagram of my topology, hope it helps.
Topology.gif
0
 
pjmcdougallAuthor Commented:
Hi erniebeek,

All your assumptions are correct.

Pinging from the core router (cisco 4506) is same as from my PC - nothin!
0
 
Ernie BeekExpertCommented:
Been looking at the logs and see something funny. Do you know what the 10.100.21.1is?
0
 
pjmcdougallAuthor Commented:
Yup, it's my laptop in the DMZ remember :)

IP - 10.100.21.1
Mask - 255.255.255.0
Gate - 10.100.21.253

0
 
pjmcdougallAuthor Commented:
More info, nothing wrong just an observation:

The attached image is a snap of the ASDM logs (as opposed to the ASA logs) and here you can see the laptop trying to do DNS lookup to 139.130.4.4 and 10.0.2.1.  

The pass to 139.130.4.4 failed because no access-list permitting and the pass to 10.0.2.1 failed because we have not put a nat in for this subnet (yes it's another subnet on the trusted but irrelevant to our problems here)
ASDM-log.gif
0
 
pjmcdougallAuthor Commented:
I think we got it !!!

The laptop had it's firewall turned on (damn SOE).  I have since turned it off and I can now ping it from the trusted network.

I still would have been chasing my tail though because I did not know about the "closest interface" rule ie: the one facing you.  First I've heard about that.  This would explain why my pings are still not responding to the DMZ interface of 10.100.21.253.

Is that correct erniebeek?
0
 
Ernie BeekExpertCommented:
That correct, the only exception is when you connect through a vpn and issue ' management-access' on it.
Glad you figured it out (and thanks to MS :-(  ).
0
 
Ernie BeekExpertCommented:
Pleasure working with you :)

Just one question, did you intend to close the question the way you did?
Though I'm doing this for fun and to steepen my learning curve, points are always nice to have ;)
0
 
pjmcdougallAuthor Commented:
Likewise I really appreciated your help.  This was my 1st time on ExpertsExchange (1 month trial), how do I allocate points to you?  Please advise and I would be more than happy to comply with ANY requirement.
0
 
Ernie BeekExpertCommented:
Just ask a moderator.
I'll hit the object button and someone will have a look and help us out.

First time eh? Hope to see you back again :)
0
 
pjmcdougallAuthor Commented:
Hi alias99,

I did not see the option "Accept and Award Points" only "Accept Solution".  I would like to award erniebeek 500 points for his trouble.  Without his comment:  "you can only ping the ASA interface that is facing you" + other troubleshooting I may never have solved the issue.

Can you please assist by awarding these points from my account to erniebeek?

Kind Regards,
Paul
0
 
Ernie BeekExpertCommented:
One way or another we always are able to get things right (with a bit of help from the mods :)

Thx for the points.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.

Advertise Here