09-17-2013 07:13 AM - edited 03-11-2019 07:39 PM
Hi all,
this is the scenario :
I've succesfully configured a netowrk object static PAT rule , allowing https requests incoming from outside to reach our web server in DMZ , inside global address is 93.XX.XX.163 . I also configured an inbound access-list applyed to outside interface that allows https traffic form outside addresses to my DMZ webserver. All works fine and i can see traffic flowing from outside to our webserver looking at system logs.
Now i'd like to enable ICMP from outside addresses to inside global address 93.XX.XX.163 .
The first thing i noticed is that every request from every outside address incoming to 93.XX.XX.163 does not arrive at ASA' s outside interface , unless it's directed to https (the static translated) port .
This sounds me strange because ISP router must be have an ARP entry for 93.XX.XX.163 to reach our webserver.
So i executed packet tracer :
packet-tracer input outside icmp 8.8.8.8 1 1 93.XX.XX.163
and this is the output :
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 93.XX.2XX.160 255.255.255.224 outside
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
What can i do to allow ICMP from outside to address 93.XX.XX.163 ?
What tthe output of packet-tracer means means?
It's the issue related to our ISP or i 'm missing something on my ASA configuration?
Thankyou in advance.
Regards
Solved! Go to Solution.
09-17-2013 07:20 AM
Hi,
Are you saying that you have used a free public IP address from the subnet the ISP allocated for you and only done Static PAT (Port Forward) for port TCP/443?
If this is the case then you wont be able to send ICMP from the public network for this server.
Since you seems to have a decent sized public subnet at your disposal I would suggest configuring Static NAT instead of Static PAT (unless ofcourse the situation is already that, you didnt provide any configurations) and just allow ICMP Echo on the "outside" interface inbound ACL.
So I assume you have this at the moment
object network STATIC-PAT
host x.x.x.x
nat (inside,outside) static 93.x.x.163 service tcp 443 443
I would suggest configuring Static NAT
object network STATIC-NAT
host x.x.x.x
nat (inside,outside) static 93.x.x.163
This would enable contacting the internal server which any service that you allow in the ACL.
Hope this helps
- Jouni
09-17-2013 07:20 AM
Hi,
Are you saying that you have used a free public IP address from the subnet the ISP allocated for you and only done Static PAT (Port Forward) for port TCP/443?
If this is the case then you wont be able to send ICMP from the public network for this server.
Since you seems to have a decent sized public subnet at your disposal I would suggest configuring Static NAT instead of Static PAT (unless ofcourse the situation is already that, you didnt provide any configurations) and just allow ICMP Echo on the "outside" interface inbound ACL.
So I assume you have this at the moment
object network STATIC-PAT
host x.x.x.x
nat (inside,outside) static 93.x.x.163 service tcp 443 443
I would suggest configuring Static NAT
object network STATIC-NAT
host x.x.x.x
nat (inside,outside) static 93.x.x.163
This would enable contacting the internal server which any service that you allow in the ACL.
Hope this helps
- Jouni
09-17-2013 07:47 AM
Hi Jouni,
this exactly is what i mean!
Configuring a static NAT solved the issue, icmp works great!
Thanyou so much
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: