Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
871
Views
0
Helpful
2
Replies

ICMP with NAT

Go to solution
phusion2k
Level 1
Level 1

‎07-24-2013 02:31 PM - edited ‎03-11-2019 07:16 PM

I am new to using ASA firewalls so what might be considered a basic question which is how can I configure the firewall to permit/allow pinging the differnet public IP addresses. I have it already set so I can ping the WAN interface on the ASA and it replies, but not the other public IP address.

The firewall is a 5505 running 9.1(2) with a base license. I've read that there have been changes to how NAT works after 8.3. Here is what I currently have.

* WAN IP addresses are not the real ones being used

WAN IP for firewall: 100.125.150.218

LAN IP for firewall: 192.168.1.1

WAN IP for server: 100.125.150.161

LAN IP for server: 192.168.1.21

----------

asa# sh config

: Saved

: Written by enable_15 at 15:35:55.329 CDT Wed Jul 24 2013

!

ASA Version 9.1(2)

!

hostname asa

domain-name test.com

enable password ******** encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd ******** encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!            

interface Ethernet0/3

!            

interface Ethernet0/4

!            

interface Ethernet0/5

!            

interface Ethernet0/6

!            

interface Ethernet0/7

!            

interface Vlan1

description LAN interface

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!            

interface Vlan2

description WAN interface

nameif outside

security-level 0

ip address 100.125.150.218 255.255.255.252

!            

boot system disk0:/asa912-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name test.com

object network server

host 192.168.1.21

object network server-SPAT

host 192.168.1.21

object-group network obj_any

access-list INTERNET_TO_INSIDE extended permit tcp any4 object server eq 3389

access-list INTERNET_TO_INSIDE extended permit icmp any4 object server echo

access-list INTERNET_TO_INSIDE extended permit icmp any4 any4 echo

access-list INSIDE_TO_INTERNET extended permit ip any4 any4

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!            

object network server

nat (inside,outside) dynamic 100.125.150.161

object network server-SPAT

nat (inside,outside) static 100.125.150.161 service tcp 3389 3389

!            

nat (inside,outside) after-auto source dynamic any interface

access-group INTERNET_TO_INSIDE in interface outside

route outside 0.0.0.0 0.0.0.0 100.125.150.217 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!            

class-map inspection_default

match default-inspection-traffic

!            

!            

policy-map type inspect dns preset_dns_map

parameters  

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect icmp

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

class class-default

  set connection decrement-ttl

!            

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

password encryption aes

Cryptochecksum:51694d9dd562042b39b272c2eba831d3

----------

Any help would be appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-24-2013 02:41 PM

Hi,

You have the following NAT configurations in addition to the Dynamic PAT for all LAN users

object network server

  host 192.168.1.21

  nat (inside,outside) dynamic 100.125.150.161

object network server-SPAT

  host 192.168.1.21

  nat (inside,outside) static 100.125.150.161 service tcp 3389 3389

I would suggest that you remove both of these.

The first NAT configuration is a Dynamic PAT. So it only enables initiating connections from the LAN to the WAN.

The second NAT configuration is a Static PAT that only forward a single port using the same public IP address as the first one.

If you actually have spare public IP addresses to dedicate for your server then your NAT configuration should be a single Static NAT for this server.

object network SERVER

  host 192.168.1.21

  nat (inside,outside) static 100.125.150.161

And then allow the services from the WAN that you require. For example ICMP and TCP/3389 using the above "object network" name as the destination.

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-24-2013 02:41 PM

Hi,

You have the following NAT configurations in addition to the Dynamic PAT for all LAN users

object network server

  host 192.168.1.21

  nat (inside,outside) dynamic 100.125.150.161

object network server-SPAT

  host 192.168.1.21

  nat (inside,outside) static 100.125.150.161 service tcp 3389 3389

I would suggest that you remove both of these.

The first NAT configuration is a Dynamic PAT. So it only enables initiating connections from the LAN to the WAN.

The second NAT configuration is a Static PAT that only forward a single port using the same public IP address as the first one.

If you actually have spare public IP addresses to dedicate for your server then your NAT configuration should be a single Static NAT for this server.

object network SERVER

  host 192.168.1.21

  nat (inside,outside) static 100.125.150.161

And then allow the services from the WAN that you require. For example ICMP and TCP/3389 using the above "object network" name as the destination.

- Jouni

0 Helpful

Go to solution
phusion2k
Level 1
Level 1
In response to Jouni Forss

‎07-25-2013 10:06 AM

That worked! Thanks for your help regarding this. I also appreciate you explaining about the NAT statements I had with one being for dynamic PAT and the other for static PAT.

Thanks again.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card