I have configured Cisco ASA Firewall and I have given ICMP Inspect also But I cant able to ping the PC Kept in the DMZ from the Outside interface

HI,

• · Please check the whether the security level for DMZ and outside interface, If DMZ is high security level. Please do the NAT configuration
• · If it's having the same security level. Please issue the command "same-security-traffic permit inter-interface "in the global config mode.

Best way to migrate is to take the configuration of the old PIX and TFTP it to a PC or other server for safe keeping.

Then boot up the ASA in a lab environment and TFTP the configuration to the new unit and reboot. There will be some commands that don't translate correctly, but you can compare the configurations to each other to make sure all the access lists and NAT statements get transferred across.

Keep in mind that the PIX and the ASA name their interfaces differently, so there may be errors when you transfer the configuration. You can edit the configuration offline with something like Notepad and change the names of the interfaces to have it work.

Good luck!

Use the Cisco ASDM or SDM software, that will give you an easy graphical interface to configure the ASA. One of them would have been shipped with the device.

Don't forget the ASA has to pre-configured, just a simple config. Have HTTPS enabled and telnet/SSH helps as well if you dont have a serial port or the console cable.

Cisco's website will give you quite a lot of info for free...

It sounds like you have not allowed ICMP (ping) through the firewall, and you may need to put an access list in to allow this.

1. Change your PCs default gateway to your firewalls' internal IP

2. configure the nameservers on your ASA

Then internet will work fine.

Remove this line:

static (DMZ,INSIDE) 10.10.0.0 10.10.0.0 netmask 255.255.255.0

You don't need a translation going from a lower security level to a higher one. You will also need a nat line for the dmz so that pc's on the dmz will be translated outbound. The only connection that will work on the dmz is the webserver when he's sending traffic outbound with a source port of 80. Something like:

nat (DMZ) 101 10.10.0.0 255.255.255.0

Other than that, it looks like it should be working. You've got permission, a route, and a translation. Maybe "clear local-host 10.10.0.2" to get rid of any bad xlates and try again. Check debg level syslogs, run packet captures, "clear asp drop" then "show asp drop" after an attempt?

Check for an IP conflict. How are you assigning the IP address on the workstations? If one of them happened to have the same ip address as the ip on the vlan1 on the ASA for example, you would have that exact issue.

Let me know how things go.

Hi Thangaraj_j,

Can you provide the topology of your setup? Can you provide also the following:

- running configuration of the ASA
- ip address of the server (what kind of server is this? what tcp/udp port does it use)
- show xlate
- show con
- show log

Just a quick try, have you tried clearing the translation and the arp table?

commands to do it:

clear xlate
clear arp
clear local

Let me know and if it still doesn't work, try to ping the server from the pc clients and see if ping does work. (you need to allow icmp to pass thru in case you are denying it for testing purposes) Just send me the additional information given above.


Regards,

ex_ocsic_cat

If you can't get the manament working initially I suggest the following

Setup a console connection
Type "enable" and press enter to access priveleged exec mode on the ASA
Type "config terminal" and press enter to access configuration mode
Type "configure factory-default" and press enter to load default settings.
Assign a static IP to your PC of 192.168.1.5 and try to browse to https://192.168.1.1 (PC is plugged into management interface)

You should be prompted to begin using ASDM