Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
380
Views
0
Helpful
5
Replies

Allowing Pings on a NAT Global

johnnylingo
Level 5
Level 5

‎12-08-2008 11:17 AM - edited ‎03-11-2019 07:22 AM

I want to allow pings to and from a NAT Global public IP on an ASA running 8.0(4) code. Here is the config:

access-list acl_outside extended permit icmp any any echo

access-list acl_outside extended permit icmp any any echo-reply

access-list acl_outside extended deny ip any any

!

access-group acl_outside in interface outside

!

icmp permit any echo outside

icmp permit any echo-reply outside

I am able to ping the ASA's outside interface, but not any of the NAT Global addresses. What am I missing?

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎12-08-2008 11:31 AM

John

Could you give an example of one of your global NAT's or better yet could you post the config of the ASA together with some details on which IP address you are trying to ping.

Jon

0 Helpful

johnnylingo
Level 5
Level 5
In response to Jon Marshall

‎12-08-2008 03:49 PM

Here's the NAT Global config. It's pretty straightforward.

global (outside) 1 1.2.3.4

nat (inside) 1 192.168.100.0 255.255.255.0

The error messages says ICMP type 8 is denied to 1.2.3.4

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to johnnylingo

‎12-08-2008 03:57 PM

John

This is a dynamic NAT setup. So you will not be able to be on the outside of the firewall and ping 1.2.3.4 because the firewall doesn't know which ip address from the 192.168.100.x address you want it to translate to.

To ping from the outside to the inside you will need a static eg.

static (inside,outside) x.x.x.x 192.168.100.x

where x.x.x.x is an IP address presented to the outside and 192.168.100.x is an IP address on the inside that maps to x.x.x.x.

Jon

0 Helpful

johnnylingo
Level 5
Level 5
In response to Jon Marshall

‎12-08-2008 04:16 PM

OK, that makes sense. We have another address that is a global combined w/ static for our e-mail server:

global (outside) 2 5.6.7.8

!

nat (inside) 2 10.10.10.2 255.255.255.255

!

static (inside,outside) tcp 5.6.7.8 smtp 10.10.10.2 smtp netmask 255.255.255.255

static (inside,outside) tcp 5.6.7.8 pop3 10.10.10.2 pop3 netmask 255.255.255.255

static (inside,outside) tcp 5.6.7.8 imap4 10.10.10.2 imap4 netmask 255.255.255.255

I take it since this has a global, I would have to redirect ICMP echos to the internal IP of 10.10.10.2?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to johnnylingo

‎12-08-2008 04:46 PM

John

"I take it since this has a global, I would have to redirect ICMP echos to the internal IP of 10.10.10.2?"

Not sure exactly what you mean here. You can't redirect ports with ICMP as far as i know. So you would need a straight static ie. not specifying individual ports.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card