Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

How to access my own Public IP from inside Network

Unanswered Question
Mar 16th, 2007
User Badges:


I am using ASA 5510 appliance in a test environment and noticed that from inside network I can ping most of the IPs on internet for example yahoo.ca

But I can NOT ping Public IP of my own servers which are statically natted on my ASA and trying to understand the process and if possible a workaround to achieve it.

currently ICMP is allowed any to any for this testing and the outbound traffic gets natted to outside interface of my ASA

Will appreciate any advice.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)

I've been trying to make this work and have had no luck. I've got a 515E running 7.0(2) and attempted to use this command to allow hosts on my subnet to browse the website on ;

static (outside,inside)

It simply will not seem to work. Can anyone lend some assistance?

spabbi100 Wed, 06/13/2007 - 11:08
User Badges:

Hi David,

Just saw your question in the middle of this thread which i initiated few months ago and finally the issue was resolved, so i thought if you are looking for the same solution,

as per your description is your inside network and you are trying to have a static NAT translation to and also you want to browse the website on IP .

I assume you are trying it from a machine on inside of your network, if thast case, then we are on the same page and here is how you will resolve this.

Required commands:

same-security-traffic permit intra-interface

static (inside,outside) netmask

static (inside,inside) netmask

static (inside,inside) netmask


because request is initiated from inside the firewall so it hits the INSIDE interface then after the NAT translation Packets have to comeout of the same INSIDE interface towards your LAN, so first command allows packets to enter and leave from the same interface, its a global command.

Second command will allow you web Server with private IP as to appears as Public IP to oustside world ( Not inside users)

Assuming the Client on inside network with IP, when it try to access the web site by public IP - Third command translates the Web Server Public IP to Private IP.

Fourth command does the source translation converting the original Client IP to a fake non existing IP ( This step is very important, because without this Web server will receive the incoming packet but for return traffic it will try to go to Client IP directly because its in the same subnet and it never recahes there as it bypasses Firewall) So in the Web server logs it will appear as if request has come from NOT

Hope it helps .......


abinjola Fri, 03/16/2007 - 10:36
User Badges:
  • Cisco Employee,

from "inside" You can never ever ping public IPs used in static mapping...if thats what you are trying,untill you are U-Turing the traffic

can you tell us from where are you trying to ping those public Ips..?

spabbi100 Fri, 03/16/2007 - 10:51
User Badges:

OK, here is a bit more detailed description :

A very standard setup having an ASA 5510 firewall (Outside 66.48.x.x ; inside behind that is a CSS 11503 Load Balancer (outside ; inside, behind CSS there are bunch of Web servers (, 101, 102) and a FTP server (

The Requirement is to allow FTP Server to access Web servers using Farm IP and by default Load balancer does NOT entertain any request (for the farm its handling) which doesn't come through its outside interface ( So i am trying to target Public IP of Server Farm so that from FTP server packets first crosses the CSS load balancer hit inside interface of ASA and then come back with different Source IP ( which is Static Public IP of FTP server) hit the outside interface of CSS and it process the request just as if for an Internet client.

Not sure if i explained that well, in the nut shell a server behind the load balancer is trying to access Load Balanced Farm IP to maintain redundancy for HTTP access.



abinjola Fri, 03/16/2007 - 11:18
User Badges:
  • Cisco Employee,

Do you necessarily need ip to access the webservers ? if not then you can use U turning feature of ASA

Static (inside,inside)

same-security-traffic permit

that means your FTP server would hit the request on ASA , the destined packet would be having destination of an virtual IP (lets say), ASA would xlate it back to

does the CSS does NAT ?

abinjola Fri, 03/16/2007 - 11:20
User Badges:
  • Cisco Employee,

is this the topology ?

66.48.x.x--ASA-- balancer)---|,101,102 |



spabbi100 Fri, 03/16/2007 - 21:40
User Badges:


The FTP Server ( is actually sitting in the same subnet as the Web Servers.

Thats where the the Problem lies .Otherwise for any client in a different subnet doing http access, targets Farm IP ( or 66.48.x.x for Internet clients) packets hit CSS outside i/F and the Return Traffic also goes back THROUGH the Load Balancer so it works.

Load Balancer does not do any Natting, however when it receives a request if it is for one of its Farm IP ( it does the load balancing and pass the request to member servers in that farm, if NOT then it simply act as a router and just pass the requests based on its routing table.

I tried the configuration you suggested using virtual IP of But the Ping to from a server doesn't work and getting following error on ASA ASDM

3 Mar 17 2007 00:29:29 305006 portmap translation creation failed for icmp src inside: dst inside: (type 8, code 0)

in this case was another FTP Server.

I also tried Alias and Bi-Directional NAT , other user suggested but that did not help either.

When i start PAcket Capture on inside of ASA I only see ICMP requests coming in for but no reply packet.

Hope it helps for better understanding.

spabbi100 Sun, 03/18/2007 - 09:03
User Badges:

Hi abinjola,

OK It finally worked, your advice was really VERY helpful, I had to tweak it a little bit as below,

same-security-traffic permit intra-interface

static (inside,inside) 66.48.x.y netmask

static (inside,inside) 66.48.x.z netmask


This way when the FTP server send http request to Public IP of Web Farm 66.48.x.y request goes through the CSS and hit inside interface of ASA, the ASA then does the Translation of destination from 66.48.x.y to and also for the source IP from to 66.48.x.z So now the Load balancer thinks the request has come from its outside interface from 66.48.x.z (I verified it from website log file) and the return traffic doesn't try to reach the FTP server through its inside interface rather it goes through css outside i/F and hits the ASA inside interface again , then ASA does the reverse Trasnalation and those packets are forwarded to which again hits CSS outside interface and eventually reaches FTP Server.

I thought I must provide update before closing this thread, if it helps anybody else.

This workaround i achieved through ASA would be much better if somehow i can restrict myself just to Load Balancer itself, I will keep looking for that.



abinjola Mon, 03/19/2007 - 09:18
User Badges:
  • Cisco Employee,

i am glad I was able to help you..:-)

astripat Tue, 03/20/2007 - 13:12
User Badges:

yes you wont be able to ping,until U turning is enabled.


This Discussion