Solved

Can't access DMZ from internal network

Posted on 2016-11-01
7
88 Views
Last Modified: 2016-11-02
Hi experts, I'll be introducing a router into my network and will be connected as shown in the diagram. The workstation can access the internet without any issue. However I'm trying to ping the servers in my DMZ. I couldn't do that. The security level of the DMZ is 50 and the inside is 100. I have a wireless network on my ASA too. The strange thing is I can ping to my AP connected to my wireless network but can't ping any servers connected to the DMZ network. No NAT has been configured for both DMZ and Wireless Network. Can someone please help?
Network-Diagram.pdf
0
Comment
Question by:totallypatrick
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 10

Expert Comment

by:Muhammad Mulla
ID: 41868175
This depends on what ports you have open between your internal network and the DMZ. If ICMP is not a permitted service / port, then ping won't work.
0
 

Author Comment

by:totallypatrick
ID: 41868191
Hi i have permitted all ports as in permit ip
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 41868287
You need to allow ICMP! and you need to have ICMP inspection enabled

Cisco Firewalls and PING

Also take a look at this

ASA 5500 Adding a DMZ Step By Step

pete
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:totallypatrick
ID: 41868312
Hi Pete, I already have icmp inspection enabled. I can ping my DMZ host from the inside network of my ASA firewall but after I introduce a new router, I can seem to ping it from a workstation behind the router. However I can ping my AP on the wireless network. Strange. Do I need to have NAT enabled somewhere? In the Router or Firewall or not necessary?
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 41868543
Whats the router? can the router ping the host in the DMZ? I'm assuming the routers default route is the inside of the ASA?


If the workstation behind the router is a different subnet then you will either need to perform NAT overload on the Router, OR add a static route to the ASA to route all traffic for the network behind the router, to the router?

Pete
0
 

Author Comment

by:totallypatrick
ID: 41869319
Hi Pete, the router is a Cisco 2900 series router. The router's default route is the inside of the ASA but the  can't ping any host in the DMZ either.

Yes the workstation behind the router is on a different subnet. I have already added a static route to the ASA to route all traffic to the workstation subnet on the ASA.

Do I still need to perform NAT overload on the router in this case?
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 41869746
>> Do I still need to perform NAT overload on the router in this case?

NO as long as theres a route on the ASA and the default route on the 2900 is the ASA

In substations like these I find the DMS form the workstation then run a packet capture in the inside of the ASA, If I cant see the traffic then the problems on the 2900.

P
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month9 days, 7 hours left to enroll

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question