Solved

Can't ping from inside to DMZ ASA 5505

Posted on 2014-02-25
7
2,464 Views
Last Modified: 2014-03-07
Running Cisco ASDM 6.2 and ASA 8.2 on ASA 5505. Have inside set to 100, dmz 50 and outside 0. We have an icmp outside rule (under management Access/ICMP that says no icmp from outside allowed. Shouldn't I be able to ping my DMZ IP's from any address inside my firewall? When I ping from an inside address to an address in the DMZ I get the following error "Feb 25 2014  12:45:43  305006 Slingshot  portmap translation creation failed for icmp src inside:192.168.222.45 dst DMZ:Slingshot (type 8, code 0)."

I've been going in circles on this for days... Any help would or idea's would be a big help.
Thanks,
Joe
0
Comment
Question by:pbmtech
  • 4
  • 3
7 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39887226
Are you explicitly allowing icmp?
0
 

Author Comment

by:pbmtech
ID: 39887326
We have the one ICMP setting that I mentioned that says "any outside deny all all." (see Capture.PNG attached). That's the only icmp rule I know of? How can I tell if I'm explicitly allowing icmp? The PC that I'm pinging from on the inside (inside/incoming) has source my IP_address to destination any service permit and the DMZ has one access rule (DMZ/incoming) that allows any any IP permit. Our NAT rules are DMZ three static that allow our three DMZ IP address to to interface outside and have an attached outside IP's. Both the DMZ and Inside Nat rules have a dynamic any outside outside rule.
Capture.PNG
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 39887336
Usually with higher security interfaces, icmp is disabled by default.

You can always "permit icmp any any" and "permit ip any any" attached to the inside and dmz interfaces to verity that (presuming that you don't have an access-list attached to those interfaces).
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:pbmtech
ID: 39887459
The inside should still be able to ping the DMZ based on the security levels... We do have both NAT and Access rules configured for the inside and DMZ interfaces and I'm sure something is wrong there... Would those permit icmp any any and permit ip any any be NAT rules?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39887503
you can do one of two things:

attempt a ping a check the log or run packet-tracer if you know the icmp type and code.
0
 

Author Comment

by:pbmtech
ID: 39901511
I guess that what I really need to figure out is how I can communicate with a PC on another subnet (our DMZ), not just ping. I need to be able to ssh, ping, remote desktop etc... into servers on the DMZ (221.x) from the inside (222.x). I've added the any any icmp to DMZ and to Inside as well as the any any ip and still no luck.
0
 

Author Comment

by:pbmtech
ID: 39907165
So I think I solved this... I added a new Static NAT rule for my PC on the inside to have access to the DMZ network and now I can ping and access web sites running on the DMZ from my inside IP address. I don't understand why I needed to do this but it works :)
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Not many admins are aware that GPOs can be activated and deactivated time-based. Time to change that :)
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now