Cisco ASA5505 – Unable to ping DMZ from Inside interface

ciscocisco-asanat;

I know just enough of the Cisco CLI to make me dangerous. Here's the situation: I have an ASA5505 with DMZ (10.10.10.X) and Inside (192.168.0.X) Vlans. I'm running a couple servers on a block of outside IPs (1.2.3.X)

From Inside, I can't talk to my DMZ machines. I can talk to the Outside address which is then properly translated to the internal server (is this called hairpinning?) but I want to be able to talk to DMZ addresses directly.

What am I missing here? Thanks in advance for anyone who's willing to advise!

ciscoasa(config-if)# show running-config 

: Saved

:

ASA Version 7.2(4) 

!

hostname ciscoasa

domain-name mycompanydomain.com

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 1.2.3.201 255.255.255.248 

!

interface Vlan3

 no forward interface Vlan1

 nameif dmz

 security-level 50

 ip address 10.10.10.1 255.255.255.0 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

 switchport access vlan 3

!

interface Ethernet0/3

 switchport access vlan 3

!

interface Ethernet0/4

 switchport access vlan 3

!

interface Ethernet0/5

 switchport access vlan 3

!

interface Ethernet0/6

 switchport access vlan 3

!

interface Ethernet0/7

 switchport access vlan 3

!

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns domain-lookup dmz

dns server-group DefaultDNS

 name-server 208.67.222.222

 name-server 208.67.220.220

 domain-name mycompanydomain.com

access-list out_dmz extended permit icmp any any echo 

access-list out_dmz extended permit icmp any any echo-reply 

access-list out_dmz extended permit icmp any any time-exceeded 

access-list out_dmz extended permit icmp any any unreachable 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 3389 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq https 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq gopher 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 5500 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40000 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40001 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40002 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40003 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40004 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40005 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40006 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40007 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40008 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40009 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40010 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 5901 

access-list out_dmz extended permit tcp any host 1.2.3.202 eq https 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 2222 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 2223 

access-list out_dmz extended permit tcp any host 1.2.3.203 eq https 

access-list out_dmz extended permit tcp any host 1.2.3.203 eq ssh 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40011 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40012 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40013 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40014 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40015 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40016 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40017 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40018 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40019 

access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40020 

access-list out_dmz extended permit tcp any host 1.2.3.202 eq ssh 

access-list icmp-dmz extended permit icmp any any 

access-list icmp-dmz extended permit ip any any 

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 10.10.10.0 255.255.255.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (dmz,outside) tcp interface 3389 10.10.10.201 3389 netmask 255.255.255.255 

static (dmz,outside) tcp interface https 10.10.10.201 https netmask 255.255.255.255 

static (dmz,outside) tcp interface gopher 10.10.10.201 gopher netmask 255.255.255.255 

static (dmz,outside) tcp interface 5500 10.10.10.201 5500 netmask 255.255.255.255 

static (dmz,outside) tcp interface 40000 10.10.10.201 40000 netmask 255.255.255.255 

static (dmz,outside) tcp interface 40001 10.10.10.201 40001 netmask 255.255.255.255 

static (dmz,outside) tcp interface 40002 10.10.10.201 40002 netmask 255.255.255.255 

static (dmz,outside) tcp interface 40003 10.10.10.201 40003 netmask 255.255.255.255 

static (dmz,outside) tcp interface 40004 10.10.10.201 40004 netmask 255.255.255.255 

static (dmz,outside) tcp interface 40005 10.10.10.201 40005 netmask 255.255.255.255 

static (dmz,outside) tcp interface 40006 10.10.10.201 40006 netmask 255.255.255.255 

static (dmz,outside) tcp interface 40007 10.10.10.201 40007 netmask 255.255.255.255 

static (dmz,outside) tcp interface 40008 10.10.10.201 40008 netmask 255.255.255.255 

static (dmz,outside) tcp interface 40009 10.10.10.201 40009 netmask 255.255.255.255 

static (dmz,outside) tcp interface 40010 10.10.10.201 40010 netmask 255.255.255.255 

static (dmz,outside) tcp interface 5901 10.10.10.201 5901 netmask 255.255.255.255 

static (dmz,outside) tcp interface 2222 10.10.10.201 2222 netmask 255.255.255.255 

static (dmz,outside) tcp interface 2223 10.10.10.201 2223 netmask 255.255.255.255 

static (dmz,outside) tcp interface 40011 10.10.10.201 40011 netmask 255.255.255.255 

static (dmz,outside) tcp interface 40012 10.10.10.201 40012 netmask 255.255.255.255 

static (dmz,outside) tcp interface 40013 10.10.10.201 40013 netmask 255.255.255.255 

static (dmz,outside) tcp interface 40014 10.10.10.201 40014 netmask 255.255.255.255 

static (dmz,outside) tcp interface 40015 10.10.10.201 40015 netmask 255.255.255.255 

static (dmz,outside) tcp interface 40016 10.10.10.201 40016 netmask 255.255.255.255 

static (dmz,outside) tcp interface 40017 10.10.10.201 40017 netmask 255.255.255.255 

static (dmz,outside) tcp interface 40018 10.10.10.201 40018 netmask 255.255.255.255 

static (dmz,outside) tcp interface 40019 10.10.10.201 40019 netmask 255.255.255.255 

static (dmz,outside) tcp interface 40020 10.10.10.201 40020 netmask 255.255.255.255 

static (dmz,outside) tcp 1.2.3.202 https 10.10.10.202 https netmask 255.255.255.255 

static (dmz,outside) tcp 1.2.3.202 ssh 10.10.10.202 ssh netmask 255.255.255.255 

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 

static (dmz,inside) 1.2.3.201 10.10.10.201 netmask 255.255.255.255 

access-group out_dmz in interface outside

access-group icmp-dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 1.2.3.206 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL 

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp dmz

telnet timeout 5

ssh 192.168.0.0 255.255.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 dmz

ssh timeout 5

ssh version 2

console timeout 0

dhcpd dns 208.67.222.222 208.67.220.220

dhcpd lease 360000

dhcpd auto_config outside

dhcpd option 3 ip 10.10.10.1

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd option 3 ip 192.168.1.1 interface inside

dhcpd enable inside

!

dhcpd address 10.10.10.20-10.10.10.33 dmz

dhcpd option 3 ip 10.10.10.1 interface dmz

dhcpd enable dmz

!



class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:b0bf092f094c827c22cebbce653bc3e6

: end


ciscoasa(config-if)#  


ciscoasa(config-if)#

Best Answer

(i know this is more than a year old, but hope it will be useful to others)

I think you have the ASA 5505 with Basic license. The basic license only allow 2 full vlans and the third has to be restricted with this command "no forward interface VlanX" and that is why you cannot remove it.

Read this from the Cisco help:

With the Base license, you can only configure a third VLAN if you use this command to limit it.

For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an inside business network, and a third VLAN assigned to your home network. The home network does not need to access the business network, so you can use this option on the home VLAN; the business network can access the home network, but the home network cannot access the business network.

If you already have two VLAN interfaces configured with a name, be sure to configure this setting before setting the name on the third interface; the ASA does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505.

Related Topic