Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

Allowing Pings on a NAT Global

I want to allow pings to and from a NAT Global public IP on an ASA running 8.0(4) code. Here is the config:

access-list acl_outside extended permit icmp any any echo

access-list acl_outside extended permit icmp any any echo-reply

access-list acl_outside extended deny ip any any

!

access-group acl_outside in interface outside

!

icmp permit any echo outside

icmp permit any echo-reply outside

I am able to ping the ASA's outside interface, but not any of the NAT Global addresses. What am I missing?

5 REPLIES
Hall of Fame Super Blue

Re: Allowing Pings on a NAT Global

John

Could you give an example of one of your global NAT's or better yet could you post the config of the ASA together with some details on which IP address you are trying to ping.

Jon

Bronze

Re: Allowing Pings on a NAT Global

Here's the NAT Global config. It's pretty straightforward.

global (outside) 1 1.2.3.4

nat (inside) 1 192.168.100.0 255.255.255.0

The error messages says ICMP type 8 is denied to 1.2.3.4

Hall of Fame Super Blue

Re: Allowing Pings on a NAT Global

John

This is a dynamic NAT setup. So you will not be able to be on the outside of the firewall and ping 1.2.3.4 because the firewall doesn't know which ip address from the 192.168.100.x address you want it to translate to.

To ping from the outside to the inside you will need a static eg.

static (inside,outside) x.x.x.x 192.168.100.x

where x.x.x.x is an IP address presented to the outside and 192.168.100.x is an IP address on the inside that maps to x.x.x.x.

Jon

Bronze

Re: Allowing Pings on a NAT Global

OK, that makes sense. We have another address that is a global combined w/ static for our e-mail server:

global (outside) 2 5.6.7.8

!

nat (inside) 2 10.10.10.2 255.255.255.255

!

static (inside,outside) tcp 5.6.7.8 smtp 10.10.10.2 smtp netmask 255.255.255.255

static (inside,outside) tcp 5.6.7.8 pop3 10.10.10.2 pop3 netmask 255.255.255.255

static (inside,outside) tcp 5.6.7.8 imap4 10.10.10.2 imap4 netmask 255.255.255.255

I take it since this has a global, I would have to redirect ICMP echos to the internal IP of 10.10.10.2?

Hall of Fame Super Blue

Re: Allowing Pings on a NAT Global

John

"I take it since this has a global, I would have to redirect ICMP echos to the internal IP of 10.10.10.2?"

Not sure exactly what you mean here. You can't redirect ports with ICMP as far as i know. So you would need a straight static ie. not specifying individual ports.

Jon

138
Views
0
Helpful
5
Replies