Ping to PAT internal server on ASA 5510

Answered Question
Oct 5th, 2009
User Badges:

Hi all,


My customer needs to enable icmp destined for a global IP address which are PAT translated

to two different internal servers...


My current configuration on the ASA 5510 is:


static (dmz,outside) tcp glocal_IP ssh 172.16.XX.31 ssh netmask 255.255.255.255

static (dmz,outside) tcp glocal_IP 5900 172.16.XX.50 5900 netmask 255.255.255.255

static (dmz,outside) tcp glocal_IP https 172.16.XX.50 https netmask 255.255.255.255


Is there any idea to enable ping from outside to the glocal IP address ?

Any suggestions are welcome...


Thanks in advance


Masa


Correct Answer by Kureli Sankar about 7 years 7 months ago

static (dmz,outside) tcp glocal_IP ssh 172.16.XX.31 ssh netmask 255.255.255.255

static (dmz,outside) tcp glocal_IP 5900 172.16.XX.50 5900 netmask 255.255.255.255

static (dmz,outside) tcp glocal_IP https 172.16.XX.50 https netmask 255.255.255.255


With these above lines you cannot ping the global_ip from the internet.


You need to have static 1-1 translation configured for that in addition to the acl applied on the outside permitting this ICMP traffic.


ex:

static (dmz,outside) glocal_IP 172.16.XX.31 netmask 255.255.255.255


Now, there is another question what if the global_ip is your outside interface IP, in that case you need to use the keyword "interface" and not specify the IP address.


ex:

static (dmz,outside) tcp interface ssh 172.16.XX.31 ssh netmask 255.255.255.255


Also, there is a question on this thread about whether PIX/ASA/FWSM respond to ICMP by default.


PIX/ASA by default respond to ICMP request unless it is specifically denied.


On the FWMS not just in new code in all the codes starting from the very beginning ICMP is denied by default to the interfaces unless it is allowed


ex:

icmp permit any inside


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Collin Clark Tue, 10/06/2009 - 05:39
User Badges:
  • Purple, 4500 points or more

Masa-


Do you have ICMP enabled? You should see something like this (or add this).


icmp permit any echo-reply outside

cisco24x7 Tue, 10/06/2009 - 08:40
User Badges:
  • Silver, 250 points or more

it does not matter if you have "icmp permit any outside". How can you ping a global IP address for tcp port-redirect of a global IP address if you do not have icmp translation?


It is NOT possible, AFAIK. You can ping if you have a static entry with NO "tcp" or "udp" in the static entry.


I think Collin mis-read your original question.

Collin Clark Tue, 10/06/2009 - 11:30
User Badges:
  • Purple, 4500 points or more

Read too fast- I thought the translations were to the interface in which the only way to ping is to the interface of the ASA and hence the icmp permit any echo outside.

cisco24x7 Tue, 10/06/2009 - 12:12
User Badges:
  • Silver, 250 points or more

I don't think that is correct either.


By default, the ASA will ALLOW you to ping the interface without entering any "icmp permit any" commands.


Unless the original poster has already dis-allowed icmp or whatever restrictions to the outside interface, he/she should be able to ping the interface without any issues.


Now this is a different story if you use FWSM. FWSM, the new code, will deny by default, whereas ASA/Pix by default, will allow unless explicitly dennied.

Correct Answer
Kureli Sankar Tue, 10/06/2009 - 13:51
User Badges:
  • Cisco Employee,

static (dmz,outside) tcp glocal_IP ssh 172.16.XX.31 ssh netmask 255.255.255.255

static (dmz,outside) tcp glocal_IP 5900 172.16.XX.50 5900 netmask 255.255.255.255

static (dmz,outside) tcp glocal_IP https 172.16.XX.50 https netmask 255.255.255.255


With these above lines you cannot ping the global_ip from the internet.


You need to have static 1-1 translation configured for that in addition to the acl applied on the outside permitting this ICMP traffic.


ex:

static (dmz,outside) glocal_IP 172.16.XX.31 netmask 255.255.255.255


Now, there is another question what if the global_ip is your outside interface IP, in that case you need to use the keyword "interface" and not specify the IP address.


ex:

static (dmz,outside) tcp interface ssh 172.16.XX.31 ssh netmask 255.255.255.255


Also, there is a question on this thread about whether PIX/ASA/FWSM respond to ICMP by default.


PIX/ASA by default respond to ICMP request unless it is specifically denied.


On the FWMS not just in new code in all the codes starting from the very beginning ICMP is denied by default to the interfaces unless it is allowed


ex:

icmp permit any inside


mshiba Tue, 10/06/2009 - 16:51
User Badges:

collin,cisco24x7,kusankar:


Thank you all for your reply.


kusankar's post has cleared my question.


I am going to ask my customer to assign another global IP, if possible,

for static 1-1 translation (and also going to apply acl which permits

the icmp traffic).


thank you.


Masa


Actions

This Discussion