Cisco ASA DMZ to LAN

[Slamjam99]

Hello,

Can somebody please help me with the below:

I need to be able to Ping a host in the DMZ from the Inside.

Details:

DMZ Host: 172.16.99.2
Inside Host: 192.168.0.2

I have a NAT exempt rule between the IPS above and an ACL to allow the ICMP traffic however this still dos not work.

Any ideas ?

thank you.

 

[itcheckpoint]

You also need an access rule permitting to access the DMZ host. If i'm not mistaken.

 

[NetworkGhost]

There are a few things you can do depending on your current policy. Since ICMP is not stateful by nature your request packet is most likely making it to the host but the reply packet is probably not making it through the ASA. You could add a rule to allow the replies back through or you can add the "inspect icmp" command to your service policy. If this still doesnt work post a scrubbed config.

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx

 

[mingtmak]

so from my understanding, you have something like this?

static (Inside,DMZ) 172.16.99.2 192.168.0.2 netmask 255.255.255.255

access-list DMZ_access_in permit ip 172.16.99.2 192.168.0.2
access-group DMZ_access_in in interface DMZ
same-security-traffic permit inter-interface


- Jon