cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
536
Views
0
Helpful
4
Replies

(natting) can not ping/access outside ip from inside ip

nizamismail
Level 1
Level 1

I'm using Firewall Service module for Catalyst 6509.

I had problem to ping and access outside ip from inside ip.

For example, my pc ip is 10.1.1.5 and I cannot ping the ouside IP 115.x.x.5.

My pc has also web server. I can't access it using the public. When i open http://115.x.x.5 in my IE, error is page cannot be displayed.

Below is the config:

static (inside,outside) 110.x.x.5 10.1.1.5 netmask 255.255.255.255

FWSM Firewall Version 3.2(2) <system>

Device Manager Version 5.2(1)F

PLease help. Thank you.

4 Replies 4

jj27
Spotlight
Spotlight

I'm not familiar with FWSM, but I know ASAs well.

Looking at your static NAT translation, it shows you are trying to NAT 110.x.x.5 to 10.1.1.5. In your post above, you mention 115.x.x.5. Is this a typo, or maybe that's your problem?

Also, you will need to setup the inbound access list for the outside interface to allow access to port 80 and any other services (icmp, etc.) on the external IP in order for the traffic to get through.

Hi James,

It not a typo. Actually I'm host a web page on that IP. I want to access the web using the public ip 115.x.x.5 to test view my webpage.

Currently the rule is set any - any for all interfaces.

Thanks

Hi Nizammuddin,

The behavior you are experiencing in both situations is actually by design.

A host behind the firewall can only ping the interface to which it is attached (as long as the proper access rules are configured). The host cannot ping an interface on the far side of the firewall.

From the documentation:

"You can ping only the closest interface. Pinging the far interface is not supported."

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/troubl_f.html#wp1061698

As for your HTTP access problem, hosts on the inside of the firewall need to access the web server by its private IP (10.1.1.5). Only hosts on the Outside interface will be able to access the web server at 110.x.x.5.

Hope that helps.

-Mike

This should allow you to ping.

!

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit icmp any any time-exceeded

access-list 100 extended permit icmp any any unreachable

access-list 100 extended permit icmp any any echo

!

access-group 100 in interface outside

!

copy run start

!

!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: