Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5505 9.1(2) icmp issue from outside

Hi all,

this is the scenario :

  1. Provider gave us a public space address 93.XX.XX.160/27
  2. Provider's router ip address is 93.XX.XX.161
  3. ASA outside interface ip address is 93.XX.XX.162
  4. Proxy ARP and ICMP inspection are enabled on Outside interface

I've succesfully configured a netowrk object static PAT rule , allowing https requests incoming from outside to reach our web server in DMZ , inside global address is 93.XX.XX.163 . I also configured an inbound access-list applyed to outside interface that allows https traffic form outside addresses to my DMZ webserver. All works fine and i can see traffic flowing from outside to our webserver looking at system logs.

Now i'd like to enable ICMP from outside addresses to inside global address 93.XX.XX.163 .

The first thing i noticed is that every request from every outside address incoming to 93.XX.XX.163 does not arrive at ASA' s outside interface , unless it's directed to https (the static translated) port .

This sounds me strange because ISP router must be have an ARP entry for 93.XX.XX.163 to reach our webserver.

So i executed packet tracer :

packet-tracer input outside icmp 8.8.8.8 1 1 93.XX.XX.163

and this is the output :

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 93.XX.2XX.160 255.255.255.224 outside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate

What can i do to allow ICMP from outside to address 93.XX.XX.163 ?

What tthe output of packet-tracer means means?

It's the issue related to our ISP or i 'm missing something on my ASA configuration?

Thankyou in advance.

Regards

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

ASA 5505 9.1(2) icmp issue from outside

Hi,

Are you saying that you have used a free public IP address from the subnet the ISP allocated for you and only done Static PAT (Port Forward) for port TCP/443?

If this is the case then you wont be able to send ICMP from the public network for this server.

Since you seems to have a decent sized public subnet at your disposal I would suggest configuring Static NAT instead of Static PAT (unless ofcourse the situation is already that, you didnt provide any configurations) and just allow ICMP Echo on the "outside" interface inbound ACL.

So I assume you have this at the moment

object network STATIC-PAT

host x.x.x.x

nat (inside,outside) static 93.x.x.163 service tcp 443 443

I would suggest configuring Static NAT

object network STATIC-NAT

host x.x.x.x

nat (inside,outside) static 93.x.x.163

This would enable contacting the internal server which any service that you allow in the ACL.

Hope this helps

- Jouni

2 REPLIES
Super Bronze

ASA 5505 9.1(2) icmp issue from outside

Hi,

Are you saying that you have used a free public IP address from the subnet the ISP allocated for you and only done Static PAT (Port Forward) for port TCP/443?

If this is the case then you wont be able to send ICMP from the public network for this server.

Since you seems to have a decent sized public subnet at your disposal I would suggest configuring Static NAT instead of Static PAT (unless ofcourse the situation is already that, you didnt provide any configurations) and just allow ICMP Echo on the "outside" interface inbound ACL.

So I assume you have this at the moment

object network STATIC-PAT

host x.x.x.x

nat (inside,outside) static 93.x.x.163 service tcp 443 443

I would suggest configuring Static NAT

object network STATIC-NAT

host x.x.x.x

nat (inside,outside) static 93.x.x.163

This would enable contacting the internal server which any service that you allow in the ACL.

Hope this helps

- Jouni

New Member

ASA 5505 9.1(2) icmp issue from outside

Hi Jouni,

this exactly is what i mean!

Configuring a static NAT solved the issue, icmp works great!

Thanyou so much

536
Views
0
Helpful
2
Replies