Asa :can t ping from inside to outside

[salwayasalam]

hi,

-my problem is that i can t ping from inside to zones withe less security-level as dmz and outside.

from what i know it should do that without an access-list.(same thing with dmz)

i can ping from outside to dmz and inside (can t ping the real addresses just the natted ones).

-and i want to know how to test if the outside can get to DNS and smtp, but i don t know how

(i don t know much about protocoles).

my sheme is lika that :


|outside 212.217.1.0/24
|

|.1

inside _____________________.1_ASA_.1____________________dmz

192.168.1.0/24 10.10.10.10/24


my config is like that :



hostname ciscoasa


interface GigabitEthernet0/0


nameif inside


security-level 100


ip address 192.168.1.1 255.255.255.0


!


interface GigabitEthernet0/1


nameif dmz


security-level 50


ip address 10.10.10.1 255.255.255.0


!


interface GigabitEthernet0/2


nameif outside


security-level 0


ip address 212.217.1.1 255.255.255.0


access-list INBOUND extended permit tcp any host 10.10.10.20 eq domain

access-list INBOUND extended permit tcp any host 10.10.10.30 eq smtp

access-list INBOUND extended permit icmp any any echo

access-list INBOUND extended permit icmp any any echo-reply

access-list INBOUND extended permit icmp any any time-exceeded

access-list INBOUND extended deny ip any any


access-list DMZ extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list DMZ extended permit ip 10.10.10.0 255.255.255.0 212.217.1.0 255.255.255.0


access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 212.217.1.0 255.255.255.0

access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0


access-group INSIDE in interface inside

access-group DMZ in interface dmz

access-group INBOUND in interface outside


global (dmz) 1 10.10.10.40-10.10.10.60 netmask 255.255.255.0

global (outside) 1 212.217.1.40-212.217.1.60 netmask 255.255.255.0

nat (inside) 1 192.168.1.0 255.255.255.0

nat (dmz) 1 10.10.10.0 255.255.255.0


route outside 0.0.0.0 0.0.0.0 212.217.1.1 1

 

[moldar]

Nous sommes sur un forum français