Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
988
Views
0
Helpful
6
Replies

Is a Static Mapped IP address can be Ping

Go to solution
Tang-Suan Tan
Level 1
Level 1

‎01-12-2012 07:48 PM - edited ‎03-11-2019 03:13 PM

Hi all :

Just a general and paratical question to ask.

If I use static nat a real IP from DMZ to a mapped IP at Outside network, can the mapped IP be ping from the DMZ?

Assume that the hosts at dmz and outside can access each other by the rule of permit all, then :

For example :

1. I use command :

static (dmz,outside) 192.168.20.101 192.168.50.101 netmask 255.255.255.255

whereby 192.168.20.101 is the mapped IP at the outside from the IP of 192.168.50.101 from dmz, can this 192.168.20.101 be pingable?

2.If the answer of question 1 above cannot be ping, then how to verify the mapped IP address at the outside newtork of 192.168.20.101 is working?

Thanks advance for your answer.

best regards,

tangsuan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Tang-Suan Tan

‎01-13-2012 11:06 AM

Hello Tang-suan.

1- It will not be possible to ping the private ip address from the outside, you will be able to hit just the mapped address.

2- to make it pingable from the dmz :

static (dmz,dmz) 192.168.20.101 192.168.50.101 netmask 255.255.255.255

same-security permit intra-interface

global (dmz) 1 interface

Let me know.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎01-12-2012 07:53 PM

Hello Tang,

Yes, it can be pingable, the asa will proxy-arp that mapped ip address.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Tang-Suan Tan
Level 1
Level 1
In response to Julio Carvajal

‎01-12-2012 11:24 PM

Hi Jcarvaja :

Thanks for your reply!

I have tried below situation that I have a host in DMZ and set its IP to 192.168.50.101 and after static NAT map to 192.168.20.101 to outside.

This host with physical IP is 192.168.50.101 at DMZ zone and I tried to ping this host from a different host at outside zone to this 192.168.50.101 and it is not successful. Same apply when I ping the outside host from this host at DMZ and it is not successful too. However, when I use the outside host to ping the mapped address 192.168.20.101, it is OK.

Below is the extract from the ASA command line :

ciscoasa(config)# sh nat

NAT policies on Interface dmz:
    match ip dmz host DRMServer outside any
    static translation to MapAddDMZtoOutside
    translate_hits = 5, untranslate_hits = 8

whereby MapAddDMZtoOutside is 192.168.20.101 and whenever the ping is ok, the translate_hits will increase and when not ok, the untranslate_hits will increase.

May I know is it possible that to activate any command or rule so that the IP for static NAT mapped address 192.168.20.101 can be ping from DMZ and not only at outside network?

Now, this host in DMZ can only ping at outside with the mapped address. Is it only way and it shoudl be like that?

With other IP address in DMZ and Outside network, they are able to ping each other in both directions.

Thanks advance for your answer!

regards,

tangsuan

0 Helpful

Go to solution
Tang-Suan Tan
Level 1
Level 1
In response to Tang-Suan Tan

‎01-13-2012 12:01 AM

Hi Jcarvaja and all :

Sorry that I have to amend that in point #1 below:

1. This host at DMZ can ping host at Outside. This is different from what I said above reply.

2. The reverse that from Outside host cannot ping to this host at DMZ with 192.168.50.101. This is same as what I said above.

3. At the outside network, the mapped address (not the physical address 192.168.50.101), the mapped address 192.168.20.101 can be ping by Outside host.

Thanks and is it the case should be like that and any way that can make the physical address can make pingable?

thanks and best regarrds,

tangsuan

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Tang-Suan Tan

‎01-13-2012 11:06 AM

Hello Tang-suan.

1- It will not be possible to ping the private ip address from the outside, you will be able to hit just the mapped address.

2- to make it pingable from the dmz :

static (dmz,dmz) 192.168.20.101 192.168.50.101 netmask 255.255.255.255

same-security permit intra-interface

global (dmz) 1 interface

Let me know.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Tang-Suan Tan
Level 1
Level 1
In response to Julio Carvajal

‎01-15-2012 08:16 PM

Hi Jcarvaja :

Yes..thanks when i enter the

static (dmz,dmz) 192.168.20.101 192.168.50.101 netmask 255.255.255.255

then this 192.168.20.101 can be ping also in dmz. Actually I don't need the

global (dmz)1 interface

also fine.

Is it any meaning on this?

I have some problem in Dynamic mapping and I will open another discussion forum for and this question will be closed here as you already provided the correct answer.

Many thanks!

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Tang-Suan Tan

‎01-15-2012 10:56 PM

Glad to know that I could help,

If I see the other request I will be more than glad to help.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card