Dear Varun, thanks for the reply

   I'm not dealing with ASA , but with a Pix515 : i tested that outside interface replies to ping ( from outside hosts) and I've  read in a Pix firewall book that it would be possible to test connectivity from inside to outside by means of "ping"

That's happen if operator enable icmp any any outside and  define an access-lis in this way:

"access-list acl_out permit icmp  any any"

and apply to outside interface

"access-group acl_out in interface outside"

I executed the last 2 tasks but ping from inside host (10.10.10.100) to outside interface (192.168.0.2) sistematically fails.

I cannot even ping from inside host ( 10.10.10.100) to an outside host ( 192.168.0.x)

PiX firewall send the echo-request to outside I guess ( because NAT translations occurs) but no echo-reply ever happens.

Hi Mauro,

M sorry, i meant PIX, but it is true for pix as well, you would not be able to ping remote interafce on the firewall.

"I've  read in a Pix firewall book that it would be possible to test connectivity from inside to outside by means of "ping" "

What this means is if you have two hosts connected to the inside and outside, then it would ping, like:

host1 ----------------------------outside(PIX)inside----------------------------------host2

10.1.1.1                         10.1.1.2         20.1.1.2                              20.1.1.1

Now you would be able to ping from host2 to host1 but not host2 to outside interface, that is not possible.

For pinging from host2 to host1, you would need the following config:

access-list out_in permit icmp any any

access-group out_in in interface outside

nat (inside) 1 20.1.1.1 255.255.255.255

global (outside) 1 interface

this should work for you.

Hope this helps.

Thanks,

Varun

Your drawing is a good idea and useful to undestand the matter. I try to track again your approach :

in my case host2 (20.1.1.1) can ping inside( 20.1.1.2) ........ ok!!

                  host1(10.1.1.1) can ping outside(10.1.1.2)  ........ok!!

   I can take for grant that host2 cannot ping outside interface ( from you statement). ...........ok!!!

   You finally state that host2 can ping host 1 with the following additional commands:

  a)access-list out_in permit icmp any any ---> got it ( access-list acl_out permit icmp any any)...ok!!

  b)access-group out_in in interface outside----> got it ( access-group acl_out in interface outside)....ok!!!

  c) " nat (inside) 1 20.1.1.1 255.255.255.255"    ------> should not be act as my command "nat(inside) 1 0 0 "??

  d) global (outside) 1 interface -----> what does it excutes? natting with  only-outside interface ip address?

                                                  should not be similar to  my command "global (outside) 1 192.168.0.10-                                                  192.168.0.62"  which instead define a pool of outside addresses for natting?

If these assumptions are true, I would already have nat and global command in my configuration properly set , but I tested that host2 cannot ping host1 up to now.

Hi Mauro,

The nat statements that i gave you were only for reference, you can use any value that you want.

you can either use:

nat (inside) 1 20.1.1.1 255.255.255.255

global (outside) 1 interface

or

nat(inside) 1 0 0

global (outside) 1 192.168.0.10-192.168.0.62

both are correct.

Now you said that you are not able to ping host2 from host1????

to troubleshoot it, plz take logs and debugs and check where the traffic dropping.

Take captures as well. As per the configuration it should work.

https://supportforums.cisco.com/docs/DOC-1222

Thanks,

Varun

Thanks for the hint!

  I'll test again with capture switch on . Hope this help to collect more info

regards

  Mauro

The configuration was correct. host1 can ping host2.

I was only wrongly testing cause i was referencing outside interface, that , as you said never answers to ping.

Thanks for the support!

Mauro