Unable to ping NAT-ed IP address.

Unanswered Question
Sep 16th, 2009
User Badges:

Hi, have following setup on ASA 5520:

Internal LAN ( on g0/1

DMZ LAN ( on g0/2

Outside interface ( on g0/0

Static NAT map to, on server running web services

From internal LAN I can access Internet, from internal LAN I can ping server on DMZ using internal IP address of

From Internet I can access web services on

From DMZ I can access internet;

Setup acl to allow traffic from DMZ to reach server at internal LAN (works ok).

Problem: From internal LAN, I cannot communicate to web server if I am using NAT-ed ip address of

From internal LAN's ip of I cannot ping to

From internal LAN's ip of I can ping to

What am I missing? Thank you all in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
platinum_jem Thu, 09/17/2009 - 03:27
User Badges:

Sorry bro, it will never work that way.

You are not allowed to access from Internal to the DMZ servers via the NATed addresses.

ASA will just drop the packet after looking at the destination IP in the header because it didn't expect it to be coming from internal LAN.

Which is why when you are internal, you must use the internal IP instead.


This Discussion