Can't access DMZ from internal network

Hi experts, I'll be introducing a router into my network and will be connected as shown in the diagram. The workstation can access the internet without any issue. However I'm trying to ping the servers in my DMZ. I couldn't do that. The security level of the DMZ is 50 and the inside is 100. I have a wireless network on my ASA too. The strange thing is I can ping to my AP connected to my wireless network but can't ping any servers connected to the DMZ network. No NAT has been configured for both DMZ and Wireless Network. Can someone please help?
Network-Diagram.pdf
totallypatrickAsked:
Who is Participating?
 
Pete LongConnect With a Mentor Technical ConsultantCommented:
Whats the router? can the router ping the host in the DMZ? I'm assuming the routers default route is the inside of the ASA?


If the workstation behind the router is a different subnet then you will either need to perform NAT overload on the Router, OR add a static route to the ASA to route all traffic for the network behind the router, to the router?

Pete
0
 
Muhammad MullaCommented:
This depends on what ports you have open between your internal network and the DMZ. If ICMP is not a permitted service / port, then ping won't work.
0
 
totallypatrickAuthor Commented:
Hi i have permitted all ports as in permit ip
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

 
Pete LongTechnical ConsultantCommented:
You need to allow ICMP! and you need to have ICMP inspection enabled

Cisco Firewalls and PING

Also take a look at this

ASA 5500 Adding a DMZ Step By Step

pete
0
 
totallypatrickAuthor Commented:
Hi Pete, I already have icmp inspection enabled. I can ping my DMZ host from the inside network of my ASA firewall but after I introduce a new router, I can seem to ping it from a workstation behind the router. However I can ping my AP on the wireless network. Strange. Do I need to have NAT enabled somewhere? In the Router or Firewall or not necessary?
0
 
totallypatrickAuthor Commented:
Hi Pete, the router is a Cisco 2900 series router. The router's default route is the inside of the ASA but the  can't ping any host in the DMZ either.

Yes the workstation behind the router is on a different subnet. I have already added a static route to the ASA to route all traffic to the workstation subnet on the ASA.

Do I still need to perform NAT overload on the router in this case?
0
 
Pete LongTechnical ConsultantCommented:
>> Do I still need to perform NAT overload on the router in this case?

NO as long as theres a route on the ASA and the default route on the 2900 is the ASA

In substations like these I find the DMS form the workstation then run a packet capture in the inside of the ASA, If I cant see the traffic then the problems on the 2900.

P
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.