[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2693
  • Last Modified:

Can't ping from inside to DMZ ASA 5505

Running Cisco ASDM 6.2 and ASA 8.2 on ASA 5505. Have inside set to 100, dmz 50 and outside 0. We have an icmp outside rule (under management Access/ICMP that says no icmp from outside allowed. Shouldn't I be able to ping my DMZ IP's from any address inside my firewall? When I ping from an inside address to an address in the DMZ I get the following error "Feb 25 2014  12:45:43  305006 Slingshot  portmap translation creation failed for icmp src inside:192.168.222.45 dst DMZ:Slingshot (type 8, code 0)."

I've been going in circles on this for days... Any help would or idea's would be a big help.
Thanks,
Joe
0
pbmtech
Asked:
pbmtech
  • 4
  • 3
1 Solution
 
Jan SpringerCommented:
Are you explicitly allowing icmp?
0
 
pbmtechAuthor Commented:
We have the one ICMP setting that I mentioned that says "any outside deny all all." (see Capture.PNG attached). That's the only icmp rule I know of? How can I tell if I'm explicitly allowing icmp? The PC that I'm pinging from on the inside (inside/incoming) has source my IP_address to destination any service permit and the DMZ has one access rule (DMZ/incoming) that allows any any IP permit. Our NAT rules are DMZ three static that allow our three DMZ IP address to to interface outside and have an attached outside IP's. Both the DMZ and Inside Nat rules have a dynamic any outside outside rule.
Capture.PNG
0
 
Jan SpringerCommented:
Usually with higher security interfaces, icmp is disabled by default.

You can always "permit icmp any any" and "permit ip any any" attached to the inside and dmz interfaces to verity that (presuming that you don't have an access-list attached to those interfaces).
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
pbmtechAuthor Commented:
The inside should still be able to ping the DMZ based on the security levels... We do have both NAT and Access rules configured for the inside and DMZ interfaces and I'm sure something is wrong there... Would those permit icmp any any and permit ip any any be NAT rules?
0
 
Jan SpringerCommented:
you can do one of two things:

attempt a ping a check the log or run packet-tracer if you know the icmp type and code.
0
 
pbmtechAuthor Commented:
I guess that what I really need to figure out is how I can communicate with a PC on another subnet (our DMZ), not just ping. I need to be able to ssh, ping, remote desktop etc... into servers on the DMZ (221.x) from the inside (222.x). I've added the any any icmp to DMZ and to Inside as well as the any any ip and still no luck.
0
 
pbmtechAuthor Commented:
So I think I solved this... I added a new Static NAT rule for my PC on the inside to have access to the DMZ network and now I can ping and access web sites running on the DMZ from my inside IP address. I don't understand why I needed to do this but it works :)
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now