totallypatrick
asked on
Can't access DMZ from internal network
Hi experts, I'll be introducing a router into my network and will be connected as shown in the diagram. The workstation can access the internet without any issue. However I'm trying to ping the servers in my DMZ. I couldn't do that. The security level of the DMZ is 50 and the inside is 100. I have a wireless network on my ASA too. The strange thing is I can ping to my AP connected to my wireless network but can't ping any servers connected to the DMZ network. No NAT has been configured for both DMZ and Wireless Network. Can someone please help?
Network-Diagram.pdf
Network-Diagram.pdf
This depends on what ports you have open between your internal network and the DMZ. If ICMP is not a permitted service / port, then ping won't work.
ASKER
Hi i have permitted all ports as in permit ip
You need to allow ICMP! and you need to have ICMP inspection enabled
Cisco Firewalls and PING
Also take a look at this
ASA 5500 Adding a DMZ Step By Step
pete
Cisco Firewalls and PING
Also take a look at this
ASA 5500 Adding a DMZ Step By Step
pete
ASKER
Hi Pete, I already have icmp inspection enabled. I can ping my DMZ host from the inside network of my ASA firewall but after I introduce a new router, I can seem to ping it from a workstation behind the router. However I can ping my AP on the wireless network. Strange. Do I need to have NAT enabled somewhere? In the Router or Firewall or not necessary?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Pete, the router is a Cisco 2900 series router. The router's default route is the inside of the ASA but the can't ping any host in the DMZ either.
Yes the workstation behind the router is on a different subnet. I have already added a static route to the ASA to route all traffic to the workstation subnet on the ASA.
Do I still need to perform NAT overload on the router in this case?
Yes the workstation behind the router is on a different subnet. I have already added a static route to the ASA to route all traffic to the workstation subnet on the ASA.
Do I still need to perform NAT overload on the router in this case?
>> Do I still need to perform NAT overload on the router in this case?
NO as long as theres a route on the ASA and the default route on the 2900 is the ASA
In substations like these I find the DMS form the workstation then run a packet capture in the inside of the ASA, If I cant see the traffic then the problems on the 2900.
P
NO as long as theres a route on the ASA and the default route on the 2900 is the ASA
In substations like these I find the DMS form the workstation then run a packet capture in the inside of the ASA, If I cant see the traffic then the problems on the 2900.
P