I am confused at theoretical part,I don’t know if I can do what i am intending to do.
I have ASA 55x configured and i’m able to ping from outside to dmz by rules pre defined without problems, however when I tried to the same from outside to inside the asa does not even give a reason, just drop… on packet tracer
My question is if it is possible an IP from internet ping from outside to inside directly without passing by DMZ, remembering that when i tried from outside to dmz it worked and also gave me a reason when tested with packet tracer command.
The behaviour that you are describing is actually done by design. When you configure a DMZ, it is designed to be able to communicate with the “internet at large”, so communication from the OUTSIDE interface towards the DMZ is allowed. Take a look at the Security Zones section of the following lesson:
However, communication from OUTSIDE to INSIDE is not allowed. You can however make an exception to this rule by using an access list, and specifying what kind of traffic you will allow taking place in this direction. More info on how this can be done can be found here:
Now one thing to keep in mind is that if the destination of your ping is the ASA interface itself, then you will get no response to the ping. The ASA is designed not to respond to pings that come from a different subnet. This may be the reason that there is no reason given for the drop. Take a look and let us know…
Typically, you would have your monitoring devices on the inside of the network, so this wouldn’t be a problem. However, there are cases where you may want to have your monitoring system centrally located on the internet and you would want to monitor multiple sites, then you may want to be able to monitor the inside interface from the outside.
In order to achieve this, there are a couple of approaches.
The first involves simply creating an access list that allows such traffic to come from the outside interface and be destined for the inside interface, as described in the above post. You would have to specify the protocol being used (ICMP) and it would be best to also specify the expected source IP of the “pinger” to ensure that no other hosts are allowed to perform such a ping.
The second, which I would prefer, is to provide a VPN connection for the monitoring system to obtain an IP address on the inside network of the ASA. This gives the monitoring system full access to the internal network, allowing it not only to ping the inside interface but also to monitor any other devices on the network using any other monitoring protocols such as SNMP or others.