Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3330
Views
0
Helpful
2
Replies

ASA 5505 - Cannot ping outside natted interface

Go to solution
amrinw1133
Level 1
Level 1

‎11-15-2011 08:55 AM - edited ‎03-11-2019 02:51 PM

Hello,

I have a Cisco ASA 5505, the problem is I am not able to ping to outside natted interface (ip: 172.88.188.123 and 124 and 125) from inside network

Could someone help me to resolve this? I have looked for ASA documentation through the internet and still got nothing.

Thank you in advance

the config are:

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

domain-name domain

enable password ********** encrypted

passwd ************ encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 172.88.188.122 255.255.255.248

!

interface Vlan3

no forward interface Vlan2

nameif backup

security-level 0

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name domain

same-security-traffic permit intra-interface

access-list outside_in extended permit tcp any host 172.88.188.123 eq smtp

access-list outside_in extended permit tcp any host 172.88.188.123 eq pop3

access-list outside_in extended permit tcp any host 172.88.188.123 eq www

access-list outside_in extended permit icmp any any

access-list outside_in extended permit icmp any any echo-reply

access-list inside_out extended permit tcp 192.168.1.0 255.255.255.0 any

access-list inside_out extended permit udp 192.168.1.0 255.255.255.0 any

access-list inside_out extended permit icmp any any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu backup 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (outside) 1 172.88.188.128

nat (inside) 1 192.168.1.0 255.255.255.0

static (inside,outside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255

static (inside,outside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255

static (inside,outside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 172.88.188.121 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 1048575

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.200 inside

dhcpd dns 8.8.8.8 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:865943aa325eb75812628fec3b1e7249

: end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10

‎11-15-2011 09:02 AM

You are looking for this. 2 options, dns doctoring, or hairpinning (2nd part of document.) Post back if you need help setting it up.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Hairpinning would look like this in your scenario.

same-security-traffic permit intra-interface

global (inside) 1 interface

static (inside,inside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255

static (inside,inside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255

static (inside,inside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255

View solution in original post

0 Helpful
2 Replies 2

Go to solution
acomiskey
Level 10
Level 10

‎11-15-2011 09:02 AM

You are looking for this. 2 options, dns doctoring, or hairpinning (2nd part of document.) Post back if you need help setting it up.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Hairpinning would look like this in your scenario.

same-security-traffic permit intra-interface

global (inside) 1 interface

static (inside,inside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255

static (inside,inside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255

static (inside,inside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255

0 Helpful

Go to solution
amrinw1133
Level 1
Level 1
In response to acomiskey

‎11-15-2011 08:40 PM

Hi Acommiskey,

It works !!! I use hairpinning and it works.

Thanks a lot, you just saved my day

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card