Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 102
  • Last Modified:

Can't access DMZ from internal network

Hi experts, I'll be introducing a router into my network and will be connected as shown in the diagram. The workstation can access the internet without any issue. However I'm trying to ping the servers in my DMZ. I couldn't do that. The security level of the DMZ is 50 and the inside is 100. I have a wireless network on my ASA too. The strange thing is I can ping to my AP connected to my wireless network but can't ping any servers connected to the DMZ network. No NAT has been configured for both DMZ and Wireless Network. Can someone please help?
Network-Diagram.pdf
0
totallypatrick
Asked:
totallypatrick
  • 3
  • 3
1 Solution
 
Muhammad MullaCommented:
This depends on what ports you have open between your internal network and the DMZ. If ICMP is not a permitted service / port, then ping won't work.
0
 
totallypatrickAuthor Commented:
Hi i have permitted all ports as in permit ip
0
 
Pete LongConsultantCommented:
You need to allow ICMP! and you need to have ICMP inspection enabled

Cisco Firewalls and PING

Also take a look at this

ASA 5500 Adding a DMZ Step By Step

pete
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
totallypatrickAuthor Commented:
Hi Pete, I already have icmp inspection enabled. I can ping my DMZ host from the inside network of my ASA firewall but after I introduce a new router, I can seem to ping it from a workstation behind the router. However I can ping my AP on the wireless network. Strange. Do I need to have NAT enabled somewhere? In the Router or Firewall or not necessary?
0
 
Pete LongConsultantCommented:
Whats the router? can the router ping the host in the DMZ? I'm assuming the routers default route is the inside of the ASA?


If the workstation behind the router is a different subnet then you will either need to perform NAT overload on the Router, OR add a static route to the ASA to route all traffic for the network behind the router, to the router?

Pete
0
 
totallypatrickAuthor Commented:
Hi Pete, the router is a Cisco 2900 series router. The router's default route is the inside of the ASA but the  can't ping any host in the DMZ either.

Yes the workstation behind the router is on a different subnet. I have already added a static route to the ASA to route all traffic to the workstation subnet on the ASA.

Do I still need to perform NAT overload on the router in this case?
0
 
Pete LongConsultantCommented:
>> Do I still need to perform NAT overload on the router in this case?

NO as long as theres a route on the ASA and the default route on the 2900 is the ASA

In substations like these I find the DMS form the workstation then run a packet capture in the inside of the ASA, If I cant see the traffic then the problems on the 2900.

P
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now