Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Allow ICMP with PAT

From what I've read, what I would like to accomplish isn't possible.

We have 5 static IPs. 4 for servers and 1 for the firewall. I can ping the firewall fine from the outside but can't ping the other 4 IPs. Doesn't sound like its possible to configure this since ICMP doesn't use ports and the firewall wouldn't know how to route ICMP traffic to the different IPs.

Can anyone else confirm this?

Thanks!

Sent from Cisco Technical Support iPhone App

19 REPLIES
Cisco Employee

Allow ICMP with PAT

Have you configured the static NAT statement for the servers yet?

Also, have you allowed ICMP on your outside interface for those 4 static IP Addresses?

You would be able to ping once you have the above 2 configured.

New Member

Re: Allow ICMP with PAT

I have ICMP enabled on my router public IP and can ping that fine.

And I've configured the static NAT for my servers. For example... Public IP 96.249.40.100 (not my real ip) on port 80 maps to 192168.1.100 on port 80.

Not sure how I'd allow ICMP through to 96.249.40.100....

Sent from Cisco Technical Support iPhone App

Cisco Employee

Re: Allow ICMP with PAT

Do you have access-list applied to your outside interface? You should add "permit icmp" for those addresses that you want to ping.

New Member

Re: Allow ICMP with PAT

If outsidein is the access list applied on your outside interface.

access-list outsidein extended permit icmp any (public_ip) echo-reply
access-list outsidein extended permit icmp any (public_ip) echo
access-group outsidein in interface outside

Note:-For version upto 8.2

You would be able to ping.

New Member

Re: Allow ICMP with PAT

I have the following in my access list:

     access-list outside_access_in_1 remark Allow ICMP traffic

     access-list outside_access_in_1 extended permit icmp any any echo-reply

     access-list outside_access_in_1 extended permit icmp any any unreachable

     access-list outside_access_in_1 extended permit icmp any any time-exceeded

And that is applied to my outside interface inbound...

     access-group outside_access_in_1 in interface primaryisp

Here is one of my NAT rules which...

    object network asp-wss-3-http-vz

          nat (inside,primaryisp) static 96.249.40.100 service tcp www www

Do I need to specifically allow ICMP to asp-wss-3-http-vz or to 96.249.40.100?

Thanks for the help!

Cisco Employee

Re: Allow ICMP with PAT

The ICMP type that you would need to permit is "echo" and that has not been included in the access-list.

Please add the following:

access-list outside_access_in_1 extended permit icmp any any echo

and you don't need to specifically allow icmp to the host/ip address.

New Member

Re: Allow ICMP with PAT

So I added that but I still cannot ping anything except the IP of the actual router IP.

     access-list outside_access_in_1 remark Allow ICMP traffic

     access-list outside_access_in_1 extended permit icmp any any echo

     access-list outside_access_in_1 extended permit icmp any any echo-reply

     access-list outside_access_in_1 extended permit icmp any any unreachable

     access-list outside_access_in_1 extended permit icmp any any time-exceeded

Here is my ASDM log when I try to ping it...

3Jun 13 201209:31:29
96.249.40.18
96.249.40.10
Deny inbound icmp src primaryisp:96.249.40.18 dst primaryisp:96.249.40.10 (type 8, code 0)
Cisco Employee

Re: Allow ICMP with PAT

Is 96.249.40.10 "primaryisp" interface ip address?

New Member

Re: Allow ICMP with PAT

No, the primaryisp interface is 96.249.40.14.  The 4 other IPs that I want to get ICMP relies from are .10 - .13.  I'm using PAT for various services (http, https, etc) on those other 4 IPs.

Cisco Employee

Re: Allow ICMP with PAT

Also need the following NAT:

object service ping

        service icmp echo

object network asp-wss-3-http-vz-ping

          host

          nat (inside,primaryisp) static 96.249.40.10 service ping ping

New Member

Re: Allow ICMP with PAT

nat (inside,primaryisp) static 96.249.40.10 service ping ping

                                                                             ^

ERROR: % Invalid input detected at '^' marker.

New Member

Re: Allow ICMP with PAT

Bump!  Anyone suggestions on this would be appreciated!

New Member

Re: Allow ICMP with PAT

Are you able to staticlly nat a single IP address with all ports to a local IP address or do you only want to nat icmp?

Cisco Employee

Re: Allow ICMP with PAT

Did you configure all the 5 lines advised earlier? or just 1 line?

object service ping

        service icmp echo

object network asp-wss-3-http-vz-ping

          host

          nat (inside,primaryisp) static 96.249.40.10 service ping ping

New Member

Re: Allow ICMP with PAT

Yes, I did all 5 lines.  When I enter "nat (inside,primaryisp) static 96.249.40.10 service " I can only choose TCP or UDP.

New Member

Re: Allow ICMP with PAT

I already have some NAT configured but I also need to get ICMP responses on all the IPs.

Sent from Cisco Technical Support iPhone App

Cisco Employee

Re: Allow ICMP with PAT

Do you need to configure static PAT, or static NAT is OK?

From version 8.3 onwards, it seems that you won't be able to ping the static PAT IP anymore.

New Member

Re: Allow ICMP with PAT

Yes, I need to do it using PAT.

Sent from Cisco Technical Support iPhone App

New Member

Re: Allow ICMP with PAT

Still haven't been able to figure this out. Anyone else have any ideas??

Sent from Cisco Technical Support iPad App

1012
Views
0
Helpful
19
Replies
CreatePlease to create content