Unable to ping NAT-ed IP address.

Unanswered Question
Sep 16th, 2009

Hi, have following setup on ASA 5520:

Internal LAN (1.1.1.1) on g0/1

DMZ LAN (2.2.2.2) on g0/2

Outside interface (3.3.3.3) on g0/0

Static NAT map 2.2.2.2 to 192.168.1.1, on server running web services

From internal LAN I can access Internet, from internal LAN I can ping server on DMZ using internal IP address of 2.2.2.2

From Internet I can access web services on 192.168.1.1

From DMZ I can access internet;

Setup acl to allow traffic from DMZ to reach server at internal LAN (works ok).

Problem: From internal LAN, I cannot communicate to web server if I am using NAT-ed ip address of 192.168.1.1.

From internal LAN's ip of 1.1.1.2 I cannot ping to 192.168.1.1

From internal LAN's ip of 1.1.1.2 I can ping to 2.2.2.2

What am I missing? Thank you all in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
platinum_jem Thu, 09/17/2009 - 03:27

Sorry bro, it will never work that way.

You are not allowed to access from Internal to the DMZ servers via the NATed addresses.

ASA will just drop the packet after looking at the destination IP in the header because it didn't expect it to be coming from internal LAN.

Which is why when you are internal, you must use the internal IP 2.2.2.2 instead.

Actions

This Discussion