Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1424
Views
0
Helpful
6
Replies

Ping to PAT internal server on ASA 5510

Go to solution
mshiba
Level 1
Level 1

‎10-05-2009 10:52 PM - edited ‎03-11-2019 09:23 AM

Hi all,

My customer needs to enable icmp destined for a global IP address which are PAT translated

to two different internal servers...

My current configuration on the ASA 5510 is:

static (dmz,outside) tcp glocal_IP ssh 172.16.XX.31 ssh netmask 255.255.255.255

static (dmz,outside) tcp glocal_IP 5900 172.16.XX.50 5900 netmask 255.255.255.255

static (dmz,outside) tcp glocal_IP https 172.16.XX.50 https netmask 255.255.255.255

Is there any idea to enable ping from outside to the glocal IP address ?

Any suggestions are welcome...

Thanks in advance

Masa

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to cisco24x7

‎10-06-2009 01:51 PM

static (dmz,outside) tcp glocal_IP ssh 172.16.XX.31 ssh netmask 255.255.255.255

static (dmz,outside) tcp glocal_IP 5900 172.16.XX.50 5900 netmask 255.255.255.255

static (dmz,outside) tcp glocal_IP https 172.16.XX.50 https netmask 255.255.255.255

With these above lines you cannot ping the global_ip from the internet.

You need to have static 1-1 translation configured for that in addition to the acl applied on the outside permitting this ICMP traffic.

ex:

static (dmz,outside) glocal_IP 172.16.XX.31 netmask 255.255.255.255

Now, there is another question what if the global_ip is your outside interface IP, in that case you need to use the keyword "interface" and not specify the IP address.

ex:

static (dmz,outside) tcp interface ssh 172.16.XX.31 ssh netmask 255.255.255.255

Also, there is a question on this thread about whether PIX/ASA/FWSM respond to ICMP by default.

PIX/ASA by default respond to ICMP request unless it is specifically denied.

On the FWMS not just in new code in all the codes starting from the very beginning ICMP is denied by default to the interfaces unless it is allowed

ex:

icmp permit any inside

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎10-06-2009 05:39 AM

Masa-

Do you have ICMP enabled? You should see something like this (or add this).

icmp permit any echo-reply outside

0 Helpful

Go to solution
cisco24x7
Level 6
Level 6
In response to Collin Clark

‎10-06-2009 08:40 AM

it does not matter if you have "icmp permit any outside". How can you ping a global IP address for tcp port-redirect of a global IP address if you do not have icmp translation?

It is NOT possible, AFAIK. You can ping if you have a static entry with NO "tcp" or "udp" in the static entry.

I think Collin mis-read your original question.

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to cisco24x7

‎10-06-2009 11:30 AM

Read too fast- I thought the translations were to the interface in which the only way to ping is to the interface of the ASA and hence the icmp permit any echo outside.

0 Helpful

Go to solution
cisco24x7
Level 6
Level 6
In response to Collin Clark

‎10-06-2009 12:12 PM

I don't think that is correct either.

By default, the ASA will ALLOW you to ping the interface without entering any "icmp permit any" commands.

Unless the original poster has already dis-allowed icmp or whatever restrictions to the outside interface, he/she should be able to ping the interface without any issues.

Now this is a different story if you use FWSM. FWSM, the new code, will deny by default, whereas ASA/Pix by default, will allow unless explicitly dennied.

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to cisco24x7

‎10-06-2009 01:51 PM

static (dmz,outside) tcp glocal_IP ssh 172.16.XX.31 ssh netmask 255.255.255.255

static (dmz,outside) tcp glocal_IP 5900 172.16.XX.50 5900 netmask 255.255.255.255

static (dmz,outside) tcp glocal_IP https 172.16.XX.50 https netmask 255.255.255.255

With these above lines you cannot ping the global_ip from the internet.

You need to have static 1-1 translation configured for that in addition to the acl applied on the outside permitting this ICMP traffic.

ex:

static (dmz,outside) glocal_IP 172.16.XX.31 netmask 255.255.255.255

Now, there is another question what if the global_ip is your outside interface IP, in that case you need to use the keyword "interface" and not specify the IP address.

ex:

static (dmz,outside) tcp interface ssh 172.16.XX.31 ssh netmask 255.255.255.255

Also, there is a question on this thread about whether PIX/ASA/FWSM respond to ICMP by default.

PIX/ASA by default respond to ICMP request unless it is specifically denied.

On the FWMS not just in new code in all the codes starting from the very beginning ICMP is denied by default to the interfaces unless it is allowed

ex:

icmp permit any inside

0 Helpful

Go to solution
mshiba
Level 1
Level 1
In response to Kureli Sankar

‎10-06-2009 04:51 PM

collin,cisco24x7,kusankar:

Thank you all for your reply.

kusankar's post has cleared my question.

I am going to ask my customer to assign another global IP, if possible,

for static 1-1 translation (and also going to apply acl which permits

the icmp traffic).

thank you.

Masa

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card