12-08-2008 11:17 AM - edited 03-11-2019 07:22 AM
I want to allow pings to and from a NAT Global public IP on an ASA running 8.0(4) code. Here is the config:
access-list acl_outside extended permit icmp any any echo
access-list acl_outside extended permit icmp any any echo-reply
access-list acl_outside extended deny ip any any
!
access-group acl_outside in interface outside
!
icmp permit any echo outside
icmp permit any echo-reply outside
I am able to ping the ASA's outside interface, but not any of the NAT Global addresses. What am I missing?
12-08-2008 11:31 AM
John
Could you give an example of one of your global NAT's or better yet could you post the config of the ASA together with some details on which IP address you are trying to ping.
Jon
12-08-2008 03:49 PM
Here's the NAT Global config. It's pretty straightforward.
global (outside) 1 1.2.3.4
nat (inside) 1 192.168.100.0 255.255.255.0
The error messages says ICMP type 8 is denied to 1.2.3.4
12-08-2008 03:57 PM
John
This is a dynamic NAT setup. So you will not be able to be on the outside of the firewall and ping 1.2.3.4 because the firewall doesn't know which ip address from the 192.168.100.x address you want it to translate to.
To ping from the outside to the inside you will need a static eg.
static (inside,outside) x.x.x.x 192.168.100.x
where x.x.x.x is an IP address presented to the outside and 192.168.100.x is an IP address on the inside that maps to x.x.x.x.
Jon
12-08-2008 04:16 PM
OK, that makes sense. We have another address that is a global combined w/ static for our e-mail server:
global (outside) 2 5.6.7.8
!
nat (inside) 2 10.10.10.2 255.255.255.255
!
static (inside,outside) tcp 5.6.7.8 smtp 10.10.10.2 smtp netmask 255.255.255.255
static (inside,outside) tcp 5.6.7.8 pop3 10.10.10.2 pop3 netmask 255.255.255.255
static (inside,outside) tcp 5.6.7.8 imap4 10.10.10.2 imap4 netmask 255.255.255.255
I take it since this has a global, I would have to redirect ICMP echos to the internal IP of 10.10.10.2?
12-08-2008 04:46 PM
John
"I take it since this has a global, I would have to redirect ICMP echos to the internal IP of 10.10.10.2?"
Not sure exactly what you mean here. You can't redirect ports with ICMP as far as i know. So you would need a straight static ie. not specifying individual ports.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: