Solved

Can't ping from inside to DMZ ASA 5505

Posted on 2014-02-25
7
2,482 Views
Last Modified: 2014-03-07
Running Cisco ASDM 6.2 and ASA 8.2 on ASA 5505. Have inside set to 100, dmz 50 and outside 0. We have an icmp outside rule (under management Access/ICMP that says no icmp from outside allowed. Shouldn't I be able to ping my DMZ IP's from any address inside my firewall? When I ping from an inside address to an address in the DMZ I get the following error "Feb 25 2014  12:45:43  305006 Slingshot  portmap translation creation failed for icmp src inside:192.168.222.45 dst DMZ:Slingshot (type 8, code 0)."

I've been going in circles on this for days... Any help would or idea's would be a big help.
Thanks,
Joe
0
Comment
Question by:pbmtech
  • 4
  • 3
7 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39887226
Are you explicitly allowing icmp?
0
 

Author Comment

by:pbmtech
ID: 39887326
We have the one ICMP setting that I mentioned that says "any outside deny all all." (see Capture.PNG attached). That's the only icmp rule I know of? How can I tell if I'm explicitly allowing icmp? The PC that I'm pinging from on the inside (inside/incoming) has source my IP_address to destination any service permit and the DMZ has one access rule (DMZ/incoming) that allows any any IP permit. Our NAT rules are DMZ three static that allow our three DMZ IP address to to interface outside and have an attached outside IP's. Both the DMZ and Inside Nat rules have a dynamic any outside outside rule.
Capture.PNG
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 39887336
Usually with higher security interfaces, icmp is disabled by default.

You can always "permit icmp any any" and "permit ip any any" attached to the inside and dmz interfaces to verity that (presuming that you don't have an access-list attached to those interfaces).
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:pbmtech
ID: 39887459
The inside should still be able to ping the DMZ based on the security levels... We do have both NAT and Access rules configured for the inside and DMZ interfaces and I'm sure something is wrong there... Would those permit icmp any any and permit ip any any be NAT rules?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39887503
you can do one of two things:

attempt a ping a check the log or run packet-tracer if you know the icmp type and code.
0
 

Author Comment

by:pbmtech
ID: 39901511
I guess that what I really need to figure out is how I can communicate with a PC on another subnet (our DMZ), not just ping. I need to be able to ssh, ping, remote desktop etc... into servers on the DMZ (221.x) from the inside (222.x). I've added the any any icmp to DMZ and to Inside as well as the any any ip and still no luck.
0
 

Author Comment

by:pbmtech
ID: 39907165
So I think I solved this... I added a new Static NAT rule for my PC on the inside to have access to the DMZ network and now I can ping and access web sites running on the DMZ from my inside IP address. I don't understand why I needed to do this but it works :)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wondered why Windows 8 and 10 don't seem to accept your GPO-based software deployment while Windows 7 does? Read on.
Note: This is the second blog post in a series on email clearinghouses (https://www.xmatters.com/alert-management/blog-email-has-failed-us?utm_campaign=70138000000ydLoAAI&utm_source=exex&utm_medium=article&utm_content=blog-post).   Every month t…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now