Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ICMP not working through NAT

Hello,

 

I have completed a NAT setup on ASA 8.4 so that computers behind an internal interface get their ip translated to the outside interface IP range.

 

It worked ok as I can browse fine from the internal computer however icmp pings are not getting back and timing out.

 

Any reason why this would happen, here is my config in brief:

 

object network inside

subnet 192.168.3.0 255.255.255.0

object network outside-pool

range 192.168.1.40 192.168.1.80

object network inside

nat dynamic outside-pool

 

Thank You.

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Hello, From your problem

Hello,

 

From your problem description, I think the issue might related to a missing inspection (icmp).

If possible you can add:

Fixup protocol icmp

 

Then try again to ping something on Internet, for example: 4.2.2.2 or 8.8.8.8

Please remember to rate and select the correct answer.

4 REPLIES
New Member

Hello, From your problem

Hello,

 

From your problem description, I think the issue might related to a missing inspection (icmp).

If possible you can add:

Fixup protocol icmp

 

Then try again to ping something on Internet, for example: 4.2.2.2 or 8.8.8.8

Please remember to rate and select the correct answer.

New Member

Excellent, why is this not

Excellent, why is this not recognized as part of the originating traffic (same as it does for http traffic)

New Member

Hi,The ICMP inspection engine

Hi,

The ICMP inspection engine allows ICMP traffic to be inspected like TCP and UDP traffic. Without the ICMP inspection engine, we recommend that you do not allow ICMP through the adaptive security appliance in an ACL. Without stateful inspection, ICMP can be used to attack your network. The ICMP inspection engine ensures that there is only one response for each request, and that the sequence number is correct

When ICMP inspection is disabled, which is the default configuration, ICMP echo reply messages are denied from a lower security interface to a higher security interface, even if it is in response to an ICMP echo request.

For reference take a look on the following link:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/i2.html#wp1735986

 

Hope it answers your question.

New Member

Perfect thank you.

Perfect thank you.

89
Views
0
Helpful
4
Replies