Can't ping from inside to DMZ ASA 5505

Running Cisco ASDM 6.2 and ASA 8.2 on ASA 5505. Have inside set to 100, dmz 50 and outside 0. We have an icmp outside rule (under management Access/ICMP that says no icmp from outside allowed. Shouldn't I be able to ping my DMZ IP's from any address inside my firewall? When I ping from an inside address to an address in the DMZ I get the following error "Feb 25 2014  12:45:43  305006 Slingshot  portmap translation creation failed for icmp src inside:192.168.222.45 dst DMZ:Slingshot (type 8, code 0)."

I've been going in circles on this for days... Any help would or idea's would be a big help.
Thanks,
Joe
pbmtechAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jan SpringerCommented:
Are you explicitly allowing icmp?
0
pbmtechAuthor Commented:
We have the one ICMP setting that I mentioned that says "any outside deny all all." (see Capture.PNG attached). That's the only icmp rule I know of? How can I tell if I'm explicitly allowing icmp? The PC that I'm pinging from on the inside (inside/incoming) has source my IP_address to destination any service permit and the DMZ has one access rule (DMZ/incoming) that allows any any IP permit. Our NAT rules are DMZ three static that allow our three DMZ IP address to to interface outside and have an attached outside IP's. Both the DMZ and Inside Nat rules have a dynamic any outside outside rule.
Capture.PNG
0
Jan SpringerCommented:
Usually with higher security interfaces, icmp is disabled by default.

You can always "permit icmp any any" and "permit ip any any" attached to the inside and dmz interfaces to verity that (presuming that you don't have an access-list attached to those interfaces).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

pbmtechAuthor Commented:
The inside should still be able to ping the DMZ based on the security levels... We do have both NAT and Access rules configured for the inside and DMZ interfaces and I'm sure something is wrong there... Would those permit icmp any any and permit ip any any be NAT rules?
0
Jan SpringerCommented:
you can do one of two things:

attempt a ping a check the log or run packet-tracer if you know the icmp type and code.
0
pbmtechAuthor Commented:
I guess that what I really need to figure out is how I can communicate with a PC on another subnet (our DMZ), not just ping. I need to be able to ssh, ping, remote desktop etc... into servers on the DMZ (221.x) from the inside (222.x). I've added the any any icmp to DMZ and to Inside as well as the any any ip and still no luck.
0
pbmtechAuthor Commented:
So I think I solved this... I added a new Static NAT rule for my PC on the inside to have access to the DMZ network and now I can ping and access web sites running on the DMZ from my inside IP address. I don't understand why I needed to do this but it works :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.