ASA 8.4(2) doesn't respond to ICMP echo on ip address with port forwarding only

Unanswered Question
Dec 14th, 2011

Hello,

In order to meet our requirements we had to configure PAT for TCP 80 on 2 external IP addresses to one internal IP in DMZ. TCP port 80 is being translated for both external IP addresses and it works as expected. However, since we have migrated to ASA both external IP addresses don't respond to ICMP echo requests generating following error:

%ASA-3-106014: Deny inbound icmp src outside:<Source IP> dst outside:<Destination IP> (type 8, code 0)

Previously we have been using Cisco router to achieve the same objective and it worked well.

I have noticed that when I add "same-security-traffic permit intra-interface" to a configuration the message mentioned above stops appearing in a logs.

As far as I can tell ASA sends packet back through outside interface, despite the fact that appliance advertises its mac address in response to arp request for the same external IP address.

Is there any way to make ASA realise that it should respond to ICMP echo requests on external IP addresses that have forwarding setup?

I do realise that ICMP would work in 1-to-1 NAT scenario, but we can't apply 1-to-1 NAT for 2 external IP addresses to point to one internal IP address.

Kind Regards,

Paul Preston

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 2.6 (5 ratings)
varrao Wed, 12/14/2011 - 05:58

Hi Paul,

Can you explain it a bit by the configuration that you had earlier and the one that you have now, whihc is not working??

Varun

Paul.Preston Wed, 12/14/2011 - 06:18

Hi Varun,

In the past we performed all the NAT/PAT functions on the IOS based router. We have replaced router with an ASA so configuration is completely different.

Scenario:

- /27 subnet available on an outside interface

- first IP address is assigned to a gateway

- all other IP addresses are available (apart from network and broadcast)

Comparison:

On a Cisco router, if you setup an interface IP address (let say FastEthernet0/0) to a second usable IP address in a range (first is taken by a gateway) and you use port forwarding on third IP address to access internal web server (which is in a RFC 1918 private subnet), third usable IP address in a range (the one with port forwarding setup) will respond to ICMP echo requests in the same manners as an interface IP address where ASA doesn't understand that it should respond to IP address and blocks the traffic with the message that I have pasted previously.

So far I have tried (with no joy):

- adding "icmp permit outside"

- adding "... permit icmp any any" rule to access list on an outside interface

Kind Regards,

Paul Preston

varrao Wed, 12/14/2011 - 06:58

Hi Paul,

The firewall shoudl definitely respond to ping on the interface. The only requirement is to open the icmp on outside interface.

icmp permit any outside

If it is still not doing it, I suggest taking captures on ouitside interface and chcek if the packets are hitting asa interface:

https://supportforums.cisco.com/docs/DOC-17814

Moreover, is TCP traffic going through fine for servers that you have port forwarded on the ASA.

Thanks,

Varun

Paul.Preston Wed, 12/14/2011 - 07:01

Varun,

Please read a post before trying to answer...

Kind Regards,

Paul Preston

Julio Carvaja Wed, 12/14/2011 - 07:31

Hello Paul,

So basically you have configured port forwarding for a specific web-server(behind the asa) and the pings are not responding when you hit the public ip address of that server.

First of all, as soon as you configure the static one to one the ASA will start proxy-arping that particular ip address. so the ASA should respond to the ICMP request. In this case its a port forwarding rigth so the thing is that the ICMP protocol does not use ports so you will not be able to perform this particular request.

I will take a look at this particular case and let you know what I have found something else but at this point I think this is the answer.

Regards,

Julio

Paul.Preston Wed, 12/14/2011 - 07:52

Hi Julio,

Right... we are on a right track. However, please have a look at my first post:

"In order to meet our requirements we had to configure PAT for TCP 80 on 2  external IP addresses to one internal IP in DMZ. TCP port 80 is being  translated for both external IP addresses and it works as expected."

To my knowledge I can point two external IP addresses to one internal IP with 1 to 1 NAT, but it can be done (as in our case) with port forwarding.Unless I'm wrong ?

Kind Regards,

Paul Preston

Julio Carvaja Wed, 12/14/2011 - 08:03

Hello Paul,

That is correct you can point 2 external ip address to the same inside host using one to one mapping, now using port-forwarding should be the same way.

One question.

you are mapping xx.xx.xx.xx on port 80 to inside host on port 80

Are you using the second mapping pointing to port 80 on the inside host as well?? I know you are using in port 80 on both outside ip addreses.

Regards,

Julio

Paul.Preston Wed, 12/14/2011 - 08:17

Hi Julio,

Interesting. I have tried to map two external IP addresses with using 1 to 1 nat to a single internal IP, but when I tried to configure a second one I remember a message "mapping exists"...

I think that it might be easier if I paste relevent config:

access-list From_Internet extended permit icmp any any

[...]

access-list From_Internet extended permit tcp any gt 1023 host 172.17.0.103 eq www

[...]

access-list From_Internet extended deny ip any any log warnings

object network www-91-17.103

host 172.17.0.103

object network www-92-17.103

host 172.17.0.103

icmp permit any outside

object network www-91-17.103

nat (DMZ,outside) static x.x.x.91 service tcp www www

object network www-92-17.103

nat (DMZ,outside) static x.x.x.92 service tcp www www

With a config above NAT works for both IP addresses, but unfortunately neither IP address respond to icmp echo requests.

Kind Regards,

Paul Preston

Julio Carvaja Wed, 12/14/2011 - 09:27

Hello Paul,

You can mapped one single host to 2 different public ip addresses but you cannot map to inside host to 1 public ip address, this because as soon as the ASA receives a packet will not know where to send it ( that is why you are getting that message)

Now as I told you before Port-forwarding will not allow ICMP as per the translation you are making is based on ports and ICMP does not use ports.

Plase rate helpful posts.

Regards,

Julio

Paul.Preston Thu, 12/15/2011 - 01:59

Hi Julio,

I understand that port forwarding of a tcp port wouldn’t forward ICMP packets to an inside host. Nevertheless, in order to forward/translate traffic ASA has to associate the ip address with an outside interface. If ASA responds to arp requests for that IP address network administrator should have a way to manage ICMP for that IP address.

Currently when using port forwarding ASA understands that packets for a specific IP address, for specific protocol and port should be routed through ASA, but all other traffic ASA tries to route back through the outside interface, despite the fact that ASA responds to arp requests for the same IP address.

What is the best way to:

  • •a)      Make sure that one internal IP address can be accessed through two external IP addresses for specific services?
  • •b)      Ensure that both external IP addresses respond to ICMP ping requests?

At present, functionality of PAT works well, but our monitoring reports problems with number of services that we host including our website (www.proxar.co.uk).

Kind Regards,

Paul Preston

Julio Carvaja Thu, 12/15/2011 - 09:24

Hello Paul,

1-You will need to map the inside host to a routable ip address using ( Static nat or port-forwarding) then add and ACL on the outside interface. ( Then you could test it doing a packet-tracer)

Example of packet tracer: Outside user trying to access the server on the inside : 2.2.2.2

                                       Inside server being accessed 192.168.13.2

                                       Natted Ip addresses: 1.1.1.1/1.1.1.2

          Packet-tracer input outside tcp 2.2.2.2 1025 1.1.1.1 xx ( port you will open on the ACL)

         Packet-tracer input outside tcp 2.2.2.2 1025 1.1.1.2 xx ( port you will open on the ACL)

2-ICMP is portless so the only way will be using a static one to one translation

Please rate helpful posts,

Regards,

Julio

Actions

Login or Register to take actions

This Discussion

Posted December 14, 2011 at 5:51 AM
Stats:
Replies:11 Avg. Rating:2.6
Views:3662 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446