01-17-2012 11:56 AM - edited 03-11-2019 03:15 PM
I have a one-to-one NAT configured (mail <-> xenon), however, I am unable to configure ICMP to respond on the external IP of the NAT. Below is my config, there is extra ICMP cruft that I have been trying that is probably not necessary, but any help with this problem would be helpful
# sho run
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa# sho run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password psKHILtBkc/R7/X9 encrypted
passwd psKHILtBkc/R7/X9 encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
speed 100
duplex full
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.90.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.124 255.255.255.248
!
boot system disk0:/asa842-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network mail
host xxx.xxx.xxx.125
object network xenon
host 192.168.90.252
object network public
host xxx.xxx.xxx.126
object network helium
host 192.168.90.249
access-list outside_access_in extended permit tcp any object xenon eq www
access-list outside_access_in extended permit tcp any object xenon eq https
access-list outside_access_in extended permit tcp any object xenon eq 587
access-list outside_access_in extended permit tcp any object xenon eq smtp
access-list outside_access_in extended permit tcp any object xenon eq 993
access-list outside_access_in extended permit tcp any object xenon eq 5666
access-list outside_access_in extended permit tcp any object xenon eq ssh
access-list outside_access_in extended permit tcp any object helium eq https
access-list outside_access_in extended permit icmp any object xenon echo-reply
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any object xenon echo
access-list wccp_redirect extended deny ip host 192.168.90.11 any
access-list wccp_redirect extended permit tcp 192.168.90.0 255.255.255.0 any eq www log
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply inside
icmp permit any echo inside
icmp permit any outside
icmp permit any echo outside
icmp permit any echo-reply outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
!
object network obj_any
nat (inside,outside) dynamic interface
object network xenon
nat (inside,outside) static mail
object network helium
nat (inside,outside) static public
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.121 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
wccp web-cache
wccp interface inside web-cache redirect in
01-17-2012 12:15 PM
Hello Munroe,
Add the following command:
-Fixup protocol ICMP
Please provide the following output:
packet-tracer input outside icmp 4.2.2.2 8 0 mail_ip
Regards,
Julio
01-17-2012 12:20 PM
# fixup protocol icmp
INFO: converting 'fixup protocol icmp ' to MPF commands
ciscoasa# packet-tracer input outside icmp 4.2.2.2 8 0 xxx.xxx.xxx.125
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network xenon
nat (inside,outside) static mail
Additional Information:
NAT divert to egress interface inside
Untranslate xxx.xxx.xxx.125/0 to 192.168.90.252/0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit icmp any any echo
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Phase: 9
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2298729, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
ciscoasa#
01-17-2012 12:51 PM
Hello Munroe,
The Packet tracer shows that everything is allowed, please let me know if its working or if we need to do further investigation ( Next thing would be captures)
Regards,
Julio
01-18-2012 04:04 AM
Hi,
Is this ASA configured for some companys production environment or test purposes?
Just wondering if the server has default GW set in its configurations? This would explain a situation where it replies to ICMP directly from ASA but not from Internet (because ICMP is not coming from a connected network of the server) Though you didnt say does it respond to ICMP from the local network of 192.168.90.0/24
Just thought I'd ask as Julio said, there packet tracer goes through fine.
Also is there anything on server that might block the ICMP echos?
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide