hi,
-my problem is that i can t ping from inside to zones withe less security-level as dmz and outside.
from what i know it should do that without an access-list.(same thing with dmz)
i can ping from outside to dmz and inside (can t ping the real addresses just the natted ones).
-and i want to know how to test if the outside can get to DNS and smtp, but i don t know how
(i don t know much about protocoles).
my sheme is lika that :
|outside 212.217.1.0/24
|
|.1
inside _____________________.1_ASA_.1____________________dmz
192.168.1.0/24 10.10.10.10/24
my config is like that :
hostname ciscoasa
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif dmz
security-level 50
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
ip address 212.217.1.1 255.255.255.0
access-list INBOUND extended permit tcp any host 10.10.10.20 eq domain
access-list INBOUND extended permit tcp any host 10.10.10.30 eq smtp
access-list INBOUND extended permit icmp any any echo
access-list INBOUND extended permit icmp any any echo-reply
access-list INBOUND extended permit icmp any any time-exceeded
access-list INBOUND extended deny ip any any
access-list DMZ extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list DMZ extended permit ip 10.10.10.0 255.255.255.0 212.217.1.0 255.255.255.0
access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 212.217.1.0 255.255.255.0
access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-group INSIDE in interface inside
access-group DMZ in interface dmz
access-group INBOUND in interface outside
global (dmz) 1 10.10.10.40-10.10.10.60 netmask 255.255.255.0
global (outside) 1 212.217.1.40-212.217.1.60 netmask 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0
nat (dmz) 1 10.10.10.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 212.217.1.1 1
-my problem is that i can t ping from inside to zones withe less security-level as dmz and outside.
from what i know it should do that without an access-list.(same thing with dmz)
i can ping from outside to dmz and inside (can t ping the real addresses just the natted ones).
-and i want to know how to test if the outside can get to DNS and smtp, but i don t know how
(i don t know much about protocoles).
my sheme is lika that :
|outside 212.217.1.0/24
|
|.1
inside _____________________.1_ASA_.1____________________dmz
192.168.1.0/24 10.10.10.10/24
my config is like that :
hostname ciscoasa
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif dmz
security-level 50
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
ip address 212.217.1.1 255.255.255.0
access-list INBOUND extended permit tcp any host 10.10.10.20 eq domain
access-list INBOUND extended permit tcp any host 10.10.10.30 eq smtp
access-list INBOUND extended permit icmp any any echo
access-list INBOUND extended permit icmp any any echo-reply
access-list INBOUND extended permit icmp any any time-exceeded
access-list INBOUND extended deny ip any any
access-list DMZ extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list DMZ extended permit ip 10.10.10.0 255.255.255.0 212.217.1.0 255.255.255.0
access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 212.217.1.0 255.255.255.0
access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-group INSIDE in interface inside
access-group DMZ in interface dmz
access-group INBOUND in interface outside
global (dmz) 1 10.10.10.40-10.10.10.60 netmask 255.255.255.0
global (outside) 1 212.217.1.40-212.217.1.60 netmask 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0
nat (dmz) 1 10.10.10.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 212.217.1.1 1