Can't ping from inside to DMZ ASA 5505

Posted on 2014-02-25
Last Modified: 2014-03-07
Running Cisco ASDM 6.2 and ASA 8.2 on ASA 5505. Have inside set to 100, dmz 50 and outside 0. We have an icmp outside rule (under management Access/ICMP that says no icmp from outside allowed. Shouldn't I be able to ping my DMZ IP's from any address inside my firewall? When I ping from an inside address to an address in the DMZ I get the following error "Feb 25 2014  12:45:43  305006 Slingshot  portmap translation creation failed for icmp src inside: dst DMZ:Slingshot (type 8, code 0)."

I've been going in circles on this for days... Any help would or idea's would be a big help.
Question by:pbmtech
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 29

Expert Comment

by:Jan Springer
ID: 39887226
Are you explicitly allowing icmp?

Author Comment

ID: 39887326
We have the one ICMP setting that I mentioned that says "any outside deny all all." (see Capture.PNG attached). That's the only icmp rule I know of? How can I tell if I'm explicitly allowing icmp? The PC that I'm pinging from on the inside (inside/incoming) has source my IP_address to destination any service permit and the DMZ has one access rule (DMZ/incoming) that allows any any IP permit. Our NAT rules are DMZ three static that allow our three DMZ IP address to to interface outside and have an attached outside IP's. Both the DMZ and Inside Nat rules have a dynamic any outside outside rule.
LVL 29

Accepted Solution

Jan Springer earned 500 total points
ID: 39887336
Usually with higher security interfaces, icmp is disabled by default.

You can always "permit icmp any any" and "permit ip any any" attached to the inside and dmz interfaces to verity that (presuming that you don't have an access-list attached to those interfaces).
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.


Author Comment

ID: 39887459
The inside should still be able to ping the DMZ based on the security levels... We do have both NAT and Access rules configured for the inside and DMZ interfaces and I'm sure something is wrong there... Would those permit icmp any any and permit ip any any be NAT rules?
LVL 29

Expert Comment

by:Jan Springer
ID: 39887503
you can do one of two things:

attempt a ping a check the log or run packet-tracer if you know the icmp type and code.

Author Comment

ID: 39901511
I guess that what I really need to figure out is how I can communicate with a PC on another subnet (our DMZ), not just ping. I need to be able to ssh, ping, remote desktop etc... into servers on the DMZ (221.x) from the inside (222.x). I've added the any any icmp to DMZ and to Inside as well as the any any ip and still no luck.

Author Comment

ID: 39907165
So I think I solved this... I added a new Static NAT rule for my PC on the inside to have access to the DMZ network and now I can ping and access web sites running on the DMZ from my inside IP address. I don't understand why I needed to do this but it works :)

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question