I am using ASA 5510 appliance in a test environment and noticed that from inside network I can ping most of the IPs on internet for example yahoo.ca
But I can NOT ping Public IP of my own servers which are statically natted on my ASA and trying to understand the process and if possible a workaround to achieve it.
currently ICMP is allowed any to any for this testing and the outbound traffic gets natted to outside interface of my ASA
Will appreciate any advice.
This is solved with "alias" in pix or what is referred to as bi-directional nat on ASA. Try this...
I've been trying to make this work and have had no luck. I've got a 515E running 7.0(2) and attempted to use this command to allow hosts on my 172.17.150.0/24 subnet to browse the website on 22.214.171.124 ;
static (outside,inside) 126.96.36.199 172.17.150.23 255.255.255.255
It simply will not seem to work. Can anyone lend some assistance?
Just saw your question in the middle of this thread which i initiated few months ago and finally the issue was resolved, so i thought if you are looking for the same solution,
as per your description 172.17.150.0/24 is your inside network and you are trying to have a static NAT translation 188.8.131.52 to 172.17.150.23 and also you want to browse the website on IP 184.108.40.206 .
I assume you are trying it from a machine on inside of your network, if thast case, then we are on the same page and here is how you will resolve this.
same-security-traffic permit intra-interface
static (inside,outside) 220.127.116.11 172.17.150.23 netmask 255.255.255.255
static (inside,inside) 18.104.22.168 172.17.150.23 netmask 255.255.255.255
static (inside,inside) 172.27.150.200 172.17.150.200 netmask 255.255.255.255
because request is initiated from inside the firewall so it hits the INSIDE interface then after the NAT translation Packets have to comeout of the same INSIDE interface towards your LAN, so first command allows packets to enter and leave from the same interface, its a global command.
Second command will allow you web Server with private IP as 172.17.150.23 to appears as Public IP 22.214.171.124 to oustside world ( Not inside users)
Assuming the Client on inside network with IP 172.17.150.200, when it try to access the web site by public IP 126.96.36.199 - Third command translates the Web Server Public IP to Private IP.
Fourth command does the source translation converting the original Client IP 172.17.250.200 to a fake non existing IP 172.27.250.200 ( This step is very important, because without this Web server will receive the incoming packet but for return traffic it will try to go to Client IP directly because its in the same subnet and it never recahes there as it bypasses Firewall) So in the Web server logs it will appear as if request has come from 172.27.150.200 NOT 172.17.150.200
Hope it helps .......
from "inside" You can never ever ping public IPs used in static mapping...if thats what you are trying,untill you are U-Turing the traffic
can you tell us from where are you trying to ping those public Ips..?
OK, here is a bit more detailed description :
A very standard setup having an ASA 5510 firewall (Outside 66.48.x.x ; inside 10.10.40.5) behind that is a CSS 11503 Load Balancer (outside 10.10.40.3 ; inside 172.16.70.3), behind CSS there are bunch of Web servers (172.16.70.100, 101, 102) and a FTP server (172.16.70.200)
The Requirement is to allow FTP Server to access Web servers using Farm IP 10.10.40.254 and by default Load balancer does NOT entertain any request (for the farm its handling) which doesn't come through its outside interface (10.10.40.3). So i am trying to target Public IP of Server Farm so that from FTP server packets first crosses the CSS load balancer hit inside interface of ASA and then come back with different Source IP ( which is Static Public IP of FTP server) hit the outside interface of CSS and it process the request just as if for an Internet client.
Not sure if i explained that well, in the nut shell a server behind the load balancer is trying to access Load Balanced Farm IP to maintain redundancy for HTTP access.
Do you necessarily need 10.10.40.254 ip to access the webservers ? if not then you can use U turning feature of ASA
that means your FTP server would hit the request on ASA , the destined packet would be having destination of an virtual IP 10.10.1.1 (lets say), ASA would xlate it back to 172.16.70.100
does the CSS does NAT ?
is this the topology ?
66.48.x.x--ASA--10.10.40.5====.3CSS(load balancer)---172.16.70.3---| 172.16.70.100,101,102 |
The FTP Server (172.16.70.200) is actually sitting in the same subnet as the Web Servers.
Thats where the the Problem lies .Otherwise for any client in a different subnet doing http access, targets Farm IP 10.10.40.254 ( or 66.48.x.x for Internet clients) packets hit CSS outside i/F and the Return Traffic also goes back THROUGH the Load Balancer so it works.
Load Balancer does not do any Natting, however when it receives a request if it is for one of its Farm IP (10.10.40.254) it does the load balancing and pass the request to member servers in that farm, if NOT then it simply act as a router and just pass the requests based on its routing table.
I tried the configuration you suggested using virtual IP of 10.10.60.254 But the Ping to 10.10.60.254 from a server 172.16.70.104 doesn't work and getting following error on ASA ASDM
3 Mar 17 2007 00:29:29 305006 10.10.60.254 portmap translation creation failed for icmp src inside:172.16.70.104 dst inside:10.10.60.254 (type 8, code 0)
in this case 172.16.70.104 was another FTP Server.
I also tried Alias and Bi-Directional NAT , other user suggested but that did not help either.
When i start PAcket Capture on inside of ASA I only see ICMP requests coming in for 10.10.60.254 but no reply packet.
Hope it helps for better understanding.
OK It finally worked, your advice was really VERY helpful, I had to tweak it a little bit as below,
same-security-traffic permit intra-interface
static (inside,inside) 66.48.x.y 10.10.40.254 netmask 255.255.255.255
static (inside,inside) 66.48.x.z 172.16.70.104 netmask 255.255.255.255
This way when the FTP server send http request to Public IP of Web Farm 66.48.x.y request goes through the CSS and hit inside interface of ASA, the ASA then does the Translation of destination from 66.48.x.y to 10.10.40.254 and also for the source IP from 172.16.70.104 to 66.48.x.z So now the Load balancer thinks the request has come from its outside interface from 66.48.x.z (I verified it from website log file) and the return traffic doesn't try to reach the FTP server through its inside interface rather it goes through css outside i/F and hits the ASA inside interface again , then ASA does the reverse Trasnalation and those packets are forwarded to 172.16.70.104 which again hits CSS outside interface and eventually reaches FTP Server.
I thought I must provide update before closing this thread, if it helps anybody else.
This workaround i achieved through ASA would be much better if somehow i can restrict myself just to Load Balancer itself, I will keep looking for that.