10-05-2009 10:52 PM - edited 03-11-2019 09:23 AM
Hi all,
My customer needs to enable icmp destined for a global IP address which are PAT translated
to two different internal servers...
My current configuration on the ASA 5510 is:
static (dmz,outside) tcp glocal_IP ssh 172.16.XX.31 ssh netmask 255.255.255.255
static (dmz,outside) tcp glocal_IP 5900 172.16.XX.50 5900 netmask 255.255.255.255
static (dmz,outside) tcp glocal_IP https 172.16.XX.50 https netmask 255.255.255.255
Is there any idea to enable ping from outside to the glocal IP address ?
Any suggestions are welcome...
Thanks in advance
Masa
Solved! Go to Solution.
10-06-2009 01:51 PM
static (dmz,outside) tcp glocal_IP ssh 172.16.XX.31 ssh netmask 255.255.255.255
static (dmz,outside) tcp glocal_IP 5900 172.16.XX.50 5900 netmask 255.255.255.255
static (dmz,outside) tcp glocal_IP https 172.16.XX.50 https netmask 255.255.255.255
With these above lines you cannot ping the global_ip from the internet.
You need to have static 1-1 translation configured for that in addition to the acl applied on the outside permitting this ICMP traffic.
ex:
static (dmz,outside) glocal_IP 172.16.XX.31 netmask 255.255.255.255
Now, there is another question what if the global_ip is your outside interface IP, in that case you need to use the keyword "interface" and not specify the IP address.
ex:
static (dmz,outside) tcp interface ssh 172.16.XX.31 ssh netmask 255.255.255.255
Also, there is a question on this thread about whether PIX/ASA/FWSM respond to ICMP by default.
PIX/ASA by default respond to ICMP request unless it is specifically denied.
On the FWMS not just in new code in all the codes starting from the very beginning ICMP is denied by default to the interfaces unless it is allowed
ex:
icmp permit any inside
10-06-2009 05:39 AM
Masa-
Do you have ICMP enabled? You should see something like this (or add this).
icmp permit any echo-reply outside
10-06-2009 08:40 AM
it does not matter if you have "icmp permit any outside". How can you ping a global IP address for tcp port-redirect of a global IP address if you do not have icmp translation?
It is NOT possible, AFAIK. You can ping if you have a static entry with NO "tcp" or "udp" in the static entry.
I think Collin mis-read your original question.
10-06-2009 11:30 AM
Read too fast- I thought the translations were to the interface in which the only way to ping is to the interface of the ASA and hence the icmp permit any echo outside.
10-06-2009 12:12 PM
I don't think that is correct either.
By default, the ASA will ALLOW you to ping the interface without entering any "icmp permit any" commands.
Unless the original poster has already dis-allowed icmp or whatever restrictions to the outside interface, he/she should be able to ping the interface without any issues.
Now this is a different story if you use FWSM. FWSM, the new code, will deny by default, whereas ASA/Pix by default, will allow unless explicitly dennied.
10-06-2009 01:51 PM
static (dmz,outside) tcp glocal_IP ssh 172.16.XX.31 ssh netmask 255.255.255.255
static (dmz,outside) tcp glocal_IP 5900 172.16.XX.50 5900 netmask 255.255.255.255
static (dmz,outside) tcp glocal_IP https 172.16.XX.50 https netmask 255.255.255.255
With these above lines you cannot ping the global_ip from the internet.
You need to have static 1-1 translation configured for that in addition to the acl applied on the outside permitting this ICMP traffic.
ex:
static (dmz,outside) glocal_IP 172.16.XX.31 netmask 255.255.255.255
Now, there is another question what if the global_ip is your outside interface IP, in that case you need to use the keyword "interface" and not specify the IP address.
ex:
static (dmz,outside) tcp interface ssh 172.16.XX.31 ssh netmask 255.255.255.255
Also, there is a question on this thread about whether PIX/ASA/FWSM respond to ICMP by default.
PIX/ASA by default respond to ICMP request unless it is specifically denied.
On the FWMS not just in new code in all the codes starting from the very beginning ICMP is denied by default to the interfaces unless it is allowed
ex:
icmp permit any inside
10-06-2009 04:51 PM
collin,cisco24x7,kusankar:
Thank you all for your reply.
kusankar's post has cleared my question.
I am going to ask my customer to assign another global IP, if possible,
for static 1-1 translation (and also going to apply acl which permits
the icmp traffic).
thank you.
Masa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide