Why am I not able to ping my DMZ interface from the inside interface on a ASA 5505 (8.2) and I am able to do this on another ASA running 8.4?

I am interested in knowing why on an ASA 5505 running 8.2 am I NOT able to ping the DMZ interface from anything on the inside interface but on another ASA 5505 running 8.4 that we set up basically the same way AM I able to ping the DMZ interface from anything on the inside interface.   I would like to be able to actually turn that off on the ASA running 8.4 if I could but I just don't know the command to do this.   Is this just something that 8.4 allows inherently?
debbiezAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ArchiTech89IT Security EngineerCommented:
Sometimes this has to do with ACLs. One of the best ways to troubleshoot is through ASDM. After logging in, go to Monitoring (at the top), and on the left side click on Logging on the bottom. Make sure your Logging Level: is set to Debugging, then click the View... button.

After you have the window up, you can start the ping from anywhere on the inside network and watch what happens to it. If it shows 'denied', it's probably an ACL problem. If you have too much scrolling by, just type the machine's IP you're pinging from in the Filter By: field at the top of the window and press Enter. Then you'll only see the traffic coming from or going to that particular IP address.

If it's being denied, do a sh run access-list and sh run access-group on the device. The output from the former should list an access-list titled something like "inside-in". You should see something like 'permit icmp any any' in it. The output from the latter should have that ACL 'attached' so-to-speak to the inside interface.

If you want you can post your running config, but just remember to cross out any identifying information (like IP addresses, domains, etc.).
debbiezAuthor Commented:
Ok, I get that, but SHOULD the DMZ interface BE pingable from the inside interface?  I would think so, yes, as it is a lower security level, correct?
ArchiTech89IT Security EngineerCommented:
Well, you're partly right. The lower security-level, however, doesn't allow traffic always, and I believe ICMP is one of those. So, for example, I had something like this recently and I had to manually allow ICMP. And most of our firewall pairs (we have 6 -- all 8.3 or higher) have to have permit statements as described above.

So no, as far as I'm aware, ping/ICMP is not allowed by default.

Hope that helps...
debbiezAuthor Commented:
I was able to communicate on the DMZ side now from the inside interface by adding a NAT exempt rule for outbound traffic on the inside interface to the DMZ interface.   But what is natively allowing this on the ASA with ver 8.4 software?   The coding is completely different.
ArchiTech89IT Security EngineerCommented:
Yes, that's right (I should've caught that). With version 8.3, NAT and ACLs were changed substantially. In fact, upgrading to later releases ideally requires an upgrade first to 8.2x, then 8.3x+ (ideally 8.4.6, according to Cisco's recommendations) before moving to any version 9.x. NAT is now easier (harder?) and ACLs now use only real IP addresses, not the global ones as before.

Basically, 8.2 --> 8.3 was a major upgrade and presented completely new configuration concepts.

Don't think I was very helpful, but I'm glad you got it sorted out...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.