<div>
Packet tracer results running from DMZ to Inside: 
&nbsp; 
&nbsp; 
&nbsp; 
SiteA-Firewall# packet-tracer input dmz icmp 173.17.1.4 0 0 11.2.1.23 
&nbsp; 
&nbsp; 
Phase: 1 
Type: FLOW-LOOKUP 
Subtype: 
Result: ALLOW 
Config: 
Additional Information: 
Found no matching flow, creating a new flow 
&nbsp; 
&nbsp; 
Phase: 2 
Type: UN-NAT 
Subtype: static 
Result: ALLOW 
Config: 
static (inside,dmz) 11.2.1.0 11.2.1.0 netmask 255.255.255.0 
nat-control 
&nbsp; match ip inside 11.2.1.0 255.255.255.0 dmz any 
&nbsp; &nbsp; static translation to 11.2.1.0 
&nbsp; &nbsp; translate_hits = 1, untranslate_hits = 3 
Additional Information: 
NAT divert to egress interface inside 
Untranslate 11.2.1.0/0 to 11.2.1.0/0 using netmask 255.255.255.0 
&nbsp; 
&nbsp; 
Phase: 3 
Type: ACCESS-LIST 
Subtype: log 
Result: ALLOW 
Config: 
access-group dmz_access_in in interface dmz 
access-list dmz_access_in extended permit icmp any any 
Additional Information: 
&nbsp; 
&nbsp; 
Phase: 4 
Type: IP-OPTIONS 
Subtype: 
Result: ALLOW 
Config: 
Additional Information: 
&nbsp; 
&nbsp; 
Phase: 5 
Type: INSPECT 
Subtype: np-inspect 
Result: ALLOW 
Config: 
class-map inspection_default 
match default-inspection-traffic 
policy-map global_policy 
description Internet_Netflow 
class inspection_default 
&nbsp; inspect icmp 
service-policy global_policy global 
Additional Information: 
&nbsp; 
&nbsp; 
Phase: 6 
Type: INSPECT 
Subtype: np-inspect 
Result: ALLOW 
Config: 
Additional Information: 
&nbsp; 
&nbsp; 
Phase: 7 
Type: 
Subtype: 
Result: ALLOW 
Config: 
Additional Information: 
&nbsp; 
&nbsp; 
Phase: 8 
Type: NAT 
Subtype: host-limits 
Result: ALLOW 
Config: 
nat (dmz) 1 173.17.1.0 255.255.255.0 
nat-control 
&nbsp; match ip dmz 173.17.1.0 255.255.255.0 dmz any 
&nbsp; &nbsp; dynamic translation to pool 1 (173.17.1.1 [Interface PAT]) 
&nbsp; &nbsp; translate_hits = 0, untranslate_hits = 0 
Additional Information: 
&nbsp; 
&nbsp; 
Phase: 9 
Type: NAT 
Subtype: rpf-check 
Result: ALLOW 
Config: 
static (inside,dmz) 11.2.1.0 11.2.1.0 netmask 255.255.255.0 
nat-control 
&nbsp; match ip inside 11.2.1.0 255.255.255.0 dmz any 
&nbsp; &nbsp; static translation to 11.2.1.0 
&nbsp; &nbsp; translate_hits = 1, untranslate_hits = 3 
Additional Information: 
&nbsp; 
&nbsp; 
Phase: 10 
Type: FLOW-CREATION 
Subtype: 
Result: ALLOW 
Config: 
Additional Information: 
New flow created with id 263043, packet dispatched to next module 
&nbsp; 
&nbsp; 
Result: 
input-interface: dmz 
input-status: up 
input-line-status: up 
output-interface: inside 
output-status: up 
output-line-status: up 
Action: allow
</div>

<div>
From inside to DMZ: 
&nbsp; 
&nbsp; 
&nbsp; 
SiteA-Firewall# packet-tracer input inside icmp 11.2.1.23 0 0 173.17.1.4 
&nbsp; 
&nbsp; 
Phase: 1 
Type: ACCESS-LIST 
Subtype: 
Result: ALLOW 
Config: 
Implicit Rule 
Additional Information: 
MAC Access list 
&nbsp; 
&nbsp; 
Phase: 2 
Type: FLOW-LOOKUP 
Subtype: 
Result: ALLOW 
Config: 
Additional Information: 
Found no matching flow, creating a new flow 
&nbsp; 
&nbsp; 
Phase: 3 
Type: ROUTE-LOOKUP 
Subtype: input 
Result: ALLOW 
Config: 
Additional Information: 
in &nbsp; 173.17.1.0 &nbsp; &nbsp; &nbsp;255.255.255.0 &nbsp; dmz 
&nbsp; 
&nbsp; 
Phase: 4 
Type: IP-OPTIONS 
Subtype: 
Result: ALLOW 
Config: 
Additional Information: 
&nbsp; 
&nbsp; 
Phase: 5 
Type: INSPECT 
Subtype: np-inspect 
Result: ALLOW 
Config: 
class-map inspection_default 
match default-inspection-traffic 
policy-map global_policy 
description Internet_Netflow 
class inspection_default 
&nbsp; inspect icmp 
service-policy global_policy global 
Additional Information: 
&nbsp; 
&nbsp; 
Phase: 6 
Type: INSPECT 
Subtype: np-inspect 
Result: ALLOW 
Config: 
Additional Information: 
&nbsp; 
&nbsp; 
Phase: 7 
Type: 
Subtype: 
Result: ALLOW 
Config: 
Additional Information: 
&nbsp; 
&nbsp; 
Phase: 8 
Type: NAT 
Subtype: 
Result: ALLOW 
Config: 
static (inside,dmz) 11.2.1.0 11.2.1.0 netmask 255.255.255.0 
nat-control 
&nbsp; match ip inside 11.2.1.0 255.255.255.0 dmz any 
&nbsp; &nbsp; static translation to 11.2.1.0 
&nbsp; &nbsp; translate_hits = 2, untranslate_hits = 3 
Additional Information: 
Static translate 11.2.1.0/0 to 11.2.1.0/0 using netmask 255.255.255.0 
&nbsp; 
&nbsp; 
Phase: 9 
Type: NAT 
Subtype: host-limits 
Result: ALLOW 
Config: 
static (inside,dmz) 11.2.1.0 11.2.1.0 netmask 255.255.255.0 
nat-control 
&nbsp; match ip inside 11.2.1.0 255.255.255.0 dmz any 
&nbsp; &nbsp; static translation to 11.2.1.0 
&nbsp; &nbsp; translate_hits = 2, untranslate_hits = 3 
Additional Information: 
&nbsp; 
&nbsp; 
Phase: 10 
Type: FLOW-CREATION 
Subtype: 
Result: ALLOW 
Config: 
Additional Information: 
New flow created with id 266708, packet dispatched to next module 
&nbsp; 
&nbsp; 
Result: 
input-interface: inside 
input-status: up 
input-line-status: up 
output-interface: dmz 
output-status: up 
output-line-status: up 
Action: allow
</div>

<div>
I apologize, that was an older santized config. The attached file is the most up to date config. 
<a href="https://filedb.experts-exchange.com/incoming/2012/07_w27/587639/75ASAsitea.log" target="_blank" class="file-inline" title="Correct ASA config (5 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>75ASAsitea.log</a>
</div>

75ASAsitea.log

<div>
do you have the security plus license on your ASA?
</div>

<div>
Correct, we have a security plus license on this machine. Will that help, hinder, or not affect this issue?
</div>

<div>
I had a co-working check my config, he noticed the no_nat acl wasn't being applied to anything. We went through some old configs where the DMZ was still working, the command &quot;nat (inside) 0 access-list no_nat&quot; was present in some of those old configs. 
 
I applied this command was able to ping, success! My question after that was &quot;So what ACL actually controls what gets between the DMZ and the Inside interfaces?&quot; I ran the following command to remove the dmz_access_in ACL from the device &quot;clear configure access-list dmz_access_in&quot; then I tried to ping again. I pinged the interface, which I reasoned I should still be able to because technically there's nothing coming &quot;in&quot; to the DMZ. But, when I pinged a machine inside the DMZ, I thought nothing would come back because there's no acl on DMZ letting things back &quot;in&quot; to the interface. Well that ping worked as well. 
 
So, my question is, &quot;Why does pinging stop when the ACL no_nat is removed, but it continues if the previous ACL is in play but the dmz_access_in ACL is removed?&quot; additionally, &quot;What does that dmz_access_in ACL control if anything? Because it doesn't appear to be controlling what goes &quot;in&quot; to that dmz interface.&quot; 
 
Thanks.
</div>

<div>
If packet-tracer results are to be believed, my issue is not solved, they can ping, but when I simulate traffice coming out of a machine on the DMZ, it gets dropped. Results below: 
 
SiteA-Firewall# packet-tracer input dmz icmp 173.17.1.4 0 0 11.2.1.23 
&nbsp; 
&nbsp; 
Phase: 1 
Type: FLOW-LOOKUP 
Subtype: 
Result: ALLOW 
Config: 
Additional Information: 
Found no matching flow, creating a new flow 
&nbsp; 
&nbsp; 
Phase: 2 
Type: ROUTE-LOOKUP 
Subtype: input 
Result: ALLOW 
Config: 
Additional Information: 
in &nbsp; 11.2.1.0 &nbsp; &nbsp; &nbsp; &nbsp;255.255.255.0 &nbsp; inside 
&nbsp; 
&nbsp; 
Phase: 3 
Type: ACCESS-LIST 
Subtype: log 
Result: ALLOW 
Config: 
access-group dmz_access_in in interface dmz 
access-list dmz_access_in extended permit ip any any 
Additional Information: 
&nbsp; 
&nbsp; 
Phase: 4 
Type: IP-OPTIONS 
Subtype: 
Result: ALLOW 
Config: 
Additional Information: 
&nbsp; 
&nbsp; 
Phase: 5 
Type: INSPECT 
Subtype: np-inspect 
Result: ALLOW 
Config: 
class-map inspection_default 
&nbsp;match default-inspection-traffic 
policy-map global_policy 
&nbsp;description Internet_Netflow 
&nbsp;class inspection_default 
&nbsp; inspect icmp 
service-policy global_policy global 
Additional Information: 
&nbsp; 
&nbsp; 
Phase: 6 
Type: INSPECT 
Subtype: np-inspect 
Result: ALLOW 
Config: 
Additional Information: 
&nbsp; 
&nbsp; 
Phase: 7 
Type: 
Subtype: 
Result: ALLOW 
Config: 
Additional Information: 
&nbsp; 
&nbsp; 
Phase: 8 
Type: NAT 
Subtype: host-limits 
Result: ALLOW 
Config: 
nat (dmz) 1 173.17.1.0 255.255.255.0 
nat-control 
&nbsp; match ip dmz 173.17.1.0 255.255.255.0 dmz any 
&nbsp; &nbsp; dynamic translation to pool 1 (173.17.1.1 [Interface PAT]) 
&nbsp; &nbsp; translate_hits = 0, untranslate_hits = 0 
Additional Information: 
&nbsp; 
&nbsp; 
Phase: 9 
Type: NAT 
Subtype: rpf-check 
Result: DROP 
Config: 
nat (inside) 1 0.0.0.0 0.0.0.0 
nat-control 
&nbsp; match ip inside any dmz any 
&nbsp; &nbsp; dynamic translation to pool 1 (173.17.1.1 [Interface PAT]) 
&nbsp; &nbsp; translate_hits = 1, untranslate_hits = 0 
Additional Information: 
&nbsp; 
&nbsp; 
Result: 
input-interface: dmz 
input-status: up 
input-line-status: up 
output-interface: inside 
output-status: up 
output-line-status: up 
Action: drop 
Drop-reason: (acl-drop) Flow is denied by configured rule
</div>

<div>
Addition, the above results are with a &quot;permit ip any any&quot; as the only line of dmz_access_in.
</div>

<div>
I removed the line &quot;nat (dmz) 0 access-list no_nat_dmz&quot;, 
And added the line: static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0.0 
&nbsp; 
The pings work through packet tracer. I'm a bit confused as to why though. If I understand right the static command you had me put in &quot;maps&quot; the 10.0.0.0 subnet on the dmz to that same network on the inside interface. But if that's right, how do I control what comes and goes from the dmz interface? Specifically since I don't have an acl controlling the show anymore.
</div>

<div>
When you make a NAT change, it is good practice to do a &quot;clear xlate&quot; to ensure that it removes any running translations. 
 
Can post the configuration as it is now.
</div>

<div>
Figured out answer for myself.
</div>

<div>
<div class="content wysiwyg-content">
I have several machines out in my DMZ and cannot get a ping going between them and anything on the inside of my network. I've even tried setting my access list attached to my DMZ to ip any any with no luck. Attached is my (sanitized) config. Any help is appreciated, everything looks good to me, but obviously something is wrong. 
&nbsp; 
Thanks in advance. 
<a href="https://filedb.experts-exchange.com/incoming/2012/07_w27/587587/73SiteAFW.log" target="_blank" class="file-inline" title="Sanitized ASA config (10 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>73SiteAFW.log</a>
</div>
</div>

73SiteAFW.log

I have several machines out in my DMZ and cannot get a ping going between them and anything on the inside of my network. I've even tried setting my access list attached to my DMZ to ip any any with no luck. Attached is my (sanitized) config. Any help is appreciated, everything looks good to me, but obviously something is wrong.
 
Thanks in advance.

ASA 5510 DMZ and Inside do not talk to one another

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Cisco

Networking hardware includes the physical devices facilitating the use of a computer network. Typically, networking hardware includes gateways, routers, network bridges, modems, wireless access points, networking cables, line drivers, switches, hubs, and repeaters. But it also includes hybrid network devices such as multilayer switches, protocol converters, bridge routers, proxy servers, firewalls, network address translators, multiplexers, network interface controllers, wireless network interface controllers, ISDN terminal adapters and other related hardware.

Networking Hardware-Other

Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.