(natting) can not ping/access outside ip from inside ip

Unanswered Question
Jun 4th, 2009
User Badges:

I'm using Firewall Service module for Catalyst 6509.


I had problem to ping and access outside ip from inside ip.


For example, my pc ip is 10.1.1.5 and I cannot ping the ouside IP 115.x.x.5.


My pc has also web server. I can't access it using the public. When i open http://115.x.x.5 in my IE, error is page cannot be displayed.


Below is the config:


static (inside,outside) 110.x.x.5 10.1.1.5 netmask 255.255.255.255


FWSM Firewall Version 3.2(2) <system>

Device Manager Version 5.2(1)F


PLease help. Thank you.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jjohnston1127 Fri, 06/05/2009 - 05:35
User Badges:
  • Silver, 250 points or more

I'm not familiar with FWSM, but I know ASAs well.


Looking at your static NAT translation, it shows you are trying to NAT 110.x.x.5 to 10.1.1.5. In your post above, you mention 115.x.x.5. Is this a typo, or maybe that's your problem?


Also, you will need to setup the inbound access list for the outside interface to allow access to port 80 and any other services (icmp, etc.) on the external IP in order for the traffic to get through.

nizamismail Mon, 06/08/2009 - 17:50
User Badges:

Hi James,


It not a typo. Actually I'm host a web page on that IP. I want to access the web using the public ip 115.x.x.5 to test view my webpage.


Currently the rule is set any - any for all interfaces.


Thanks

robertson.michael Fri, 06/05/2009 - 12:22
User Badges:
  • Silver, 250 points or more

Hi Nizammuddin,


The behavior you are experiencing in both situations is actually by design.


A host behind the firewall can only ping the interface to which it is attached (as long as the proper access rules are configured). The host cannot ping an interface on the far side of the firewall.


From the documentation:

"You can ping only the closest interface. Pinging the far interface is not supported."

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/troubl_f.html#wp1061698


As for your HTTP access problem, hosts on the inside of the firewall need to access the web server by its private IP (10.1.1.5). Only hosts on the Outside interface will be able to access the web server at 110.x.x.5.


Hope that helps.


-Mike

Pravin Phadte Wed, 06/10/2009 - 02:28
User Badges:
  • Silver, 250 points or more

This should allow you to ping.


!

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit icmp any any time-exceeded

access-list 100 extended permit icmp any any unreachable

access-list 100 extended permit icmp any any echo

!

access-group 100 in interface outside

!

copy run start

!

!

Actions

This Discussion