Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1776
Views
0
Helpful
4
Replies

ICMP not working through NAT

Go to solution
aconticisco
Level 2
Level 2

‎03-23-2014 10:41 AM - edited ‎03-11-2019 08:59 PM

Hello,

 

I have completed a NAT setup on ASA 8.4 so that computers behind an internal interface get their ip translated to the outside interface IP range.

 

It worked ok as I can browse fine from the internal computer however icmp pings are not getting back and timing out.

 

Any reason why this would happen, here is my config in brief:

 

object network inside

subnet 192.168.3.0 255.255.255.0

object network outside-pool

range 192.168.1.40 192.168.1.80

object network inside

nat dynamic outside-pool

 

Thank You.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Harvey Ortiz
Level 1
Level 1

‎03-23-2014 02:37 PM

Hello,

 

From your problem description, I think the issue might related to a missing inspection (icmp).

If possible you can add:

Fixup protocol icmp

 

Then try again to ping something on Internet, for example: 4.2.2.2 or 8.8.8.8

Please remember to rate and select the correct answer.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Harvey Ortiz
Level 1
Level 1

‎03-23-2014 02:37 PM

Hello,

 

From your problem description, I think the issue might related to a missing inspection (icmp).

If possible you can add:

Fixup protocol icmp

 

Then try again to ping something on Internet, for example: 4.2.2.2 or 8.8.8.8

Please remember to rate and select the correct answer.

0 Helpful

Go to solution
aconticisco
Level 2
Level 2
In response to Harvey Ortiz

‎03-23-2014 10:44 PM

Excellent, why is this not recognized as part of the originating traffic (same as it does for http traffic)

0 Helpful

Go to solution
Harvey Ortiz
Level 1
Level 1
In response to aconticisco

‎03-24-2014 08:07 AM

Hi,

The ICMP inspection engine allows ICMP traffic to be inspected like TCP and UDP traffic. Without the ICMP inspection engine, we recommend that you do not allow ICMP through the adaptive security appliance in an ACL. Without stateful inspection, ICMP can be used to attack your network. The ICMP inspection engine ensures that there is only one response for each request, and that the sequence number is correct

When ICMP inspection is disabled, which is the default configuration, ICMP echo reply messages are denied from a lower security interface to a higher security interface, even if it is in response to an ICMP echo request.

For reference take a look on the following link:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/i2.html#wp1735986

 

Hope it answers your question.

0 Helpful

Go to solution
aconticisco
Level 2
Level 2
In response to Harvey Ortiz

‎03-24-2014 10:24 PM

Perfect thank you.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card