Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5505 - Cannot ping outside natted interface

Hello,

I have a Cisco ASA 5505, the problem is I am not able to ping to outside natted interface (ip: 172.88.188.123 and 124 and 125) from inside network

Could someone help me to resolve this? I have looked for ASA documentation through the internet and still got nothing.

Thank you in advance

the config are:

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

domain-name domain

enable password ********** encrypted

passwd ************ encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 172.88.188.122 255.255.255.248

!

interface Vlan3

no forward interface Vlan2

nameif backup

security-level 0

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name domain

same-security-traffic permit intra-interface

access-list outside_in extended permit tcp any host 172.88.188.123 eq smtp

access-list outside_in extended permit tcp any host 172.88.188.123 eq pop3

access-list outside_in extended permit tcp any host 172.88.188.123 eq www

access-list outside_in extended permit icmp any any

access-list outside_in extended permit icmp any any echo-reply

access-list inside_out extended permit tcp 192.168.1.0 255.255.255.0 any

access-list inside_out extended permit udp 192.168.1.0 255.255.255.0 any

access-list inside_out extended permit icmp any any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu backup 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (outside) 1 172.88.188.128

nat (inside) 1 192.168.1.0 255.255.255.0

static (inside,outside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255

static (inside,outside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255

static (inside,outside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 172.88.188.121 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 1048575

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.200 inside

dhcpd dns 8.8.8.8 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:865943aa325eb75812628fec3b1e7249

: end

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: ASA 5505 - Cannot ping outside natted interface

You are looking for this. 2 options, dns doctoring, or hairpinning (2nd part of document.) Post back if you need help setting it up.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Hairpinning would look like this in your scenario.

same-security-traffic permit intra-interface

global (inside) 1 interface

static (inside,inside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255

static (inside,inside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255

static (inside,inside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255

2 REPLIES
Green

Re: ASA 5505 - Cannot ping outside natted interface

You are looking for this. 2 options, dns doctoring, or hairpinning (2nd part of document.) Post back if you need help setting it up.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Hairpinning would look like this in your scenario.

same-security-traffic permit intra-interface

global (inside) 1 interface

static (inside,inside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255

static (inside,inside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255

static (inside,inside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255

New Member

Re: ASA 5505 - Cannot ping outside natted interface

Hi Acommiskey,

It works !!! I use hairpinning and it works.

Thanks a lot, you just saved my day

2226
Views
0
Helpful
2
Replies
This widget could not be displayed.