Allowing Pings on a NAT Global

Unanswered Question
Dec 8th, 2008

I want to allow pings to and from a NAT Global public IP on an ASA running 8.0(4) code. Here is the config:

access-list acl_outside extended permit icmp any any echo

access-list acl_outside extended permit icmp any any echo-reply

access-list acl_outside extended deny ip any any

!

access-group acl_outside in interface outside

!

icmp permit any echo outside

icmp permit any echo-reply outside

I am able to ping the ASA's outside interface, but not any of the NAT Global addresses. What am I missing?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 12/08/2008 - 11:31

John

Could you give an example of one of your global NAT's or better yet could you post the config of the ASA together with some details on which IP address you are trying to ping.

Jon

johnnylingo Mon, 12/08/2008 - 15:49

Here's the NAT Global config. It's pretty straightforward.

global (outside) 1 1.2.3.4

nat (inside) 1 192.168.100.0 255.255.255.0

The error messages says ICMP type 8 is denied to 1.2.3.4

Jon Marshall Mon, 12/08/2008 - 15:57

John

This is a dynamic NAT setup. So you will not be able to be on the outside of the firewall and ping 1.2.3.4 because the firewall doesn't know which ip address from the 192.168.100.x address you want it to translate to.

To ping from the outside to the inside you will need a static eg.

static (inside,outside) x.x.x.x 192.168.100.x

where x.x.x.x is an IP address presented to the outside and 192.168.100.x is an IP address on the inside that maps to x.x.x.x.

Jon

johnnylingo Mon, 12/08/2008 - 16:16

OK, that makes sense. We have another address that is a global combined w/ static for our e-mail server:

global (outside) 2 5.6.7.8

!

nat (inside) 2 10.10.10.2 255.255.255.255

!

static (inside,outside) tcp 5.6.7.8 smtp 10.10.10.2 smtp netmask 255.255.255.255

static (inside,outside) tcp 5.6.7.8 pop3 10.10.10.2 pop3 netmask 255.255.255.255

static (inside,outside) tcp 5.6.7.8 imap4 10.10.10.2 imap4 netmask 255.255.255.255

I take it since this has a global, I would have to redirect ICMP echos to the internal IP of 10.10.10.2?

Jon Marshall Mon, 12/08/2008 - 16:46

John

"I take it since this has a global, I would have to redirect ICMP echos to the internal IP of 10.10.10.2?"

Not sure exactly what you mean here. You can't redirect ports with ICMP as far as i know. So you would need a straight static ie. not specifying individual ports.

Jon

Actions

This Discussion