01-12-2012 07:48 PM - edited 03-11-2019 03:13 PM
Hi all :
Just a general and paratical question to ask.
If I use static nat a real IP from DMZ to a mapped IP at Outside network, can the mapped IP be ping from the DMZ?
Assume that the hosts at dmz and outside can access each other by the rule of permit all, then :
For example :
1. I use command :
static (dmz,outside) 192.168.20.101 192.168.50.101 netmask 255.255.255.255
whereby 192.168.20.101 is the mapped IP at the outside from the IP of 192.168.50.101 from dmz, can this 192.168.20.101 be pingable?
2.If the answer of question 1 above cannot be ping, then how to verify the mapped IP address at the outside newtork of 192.168.20.101 is working?
Thanks advance for your answer.
best regards,
tangsuan
Solved! Go to Solution.
01-13-2012 11:06 AM
Hello Tang-suan.
1- It will not be possible to ping the private ip address from the outside, you will be able to hit just the mapped address.
2- to make it pingable from the dmz :
static (dmz,dmz) 192.168.20.101 192.168.50.101 netmask 255.255.255.255
same-security permit intra-interface
global (dmz) 1 interface
Let me know.
01-12-2012 07:53 PM
Hello Tang,
Yes, it can be pingable, the asa will proxy-arp that mapped ip address.
Regards,
Julio
01-12-2012 11:24 PM
Hi Jcarvaja :
Thanks for your reply!
I have tried below situation that I have a host in DMZ and set its IP to 192.168.50.101 and after static NAT map to 192.168.20.101 to outside.
This host with physical IP is 192.168.50.101 at DMZ zone and I tried to ping this host from a different host at outside zone to this 192.168.50.101 and it is not successful. Same apply when I ping the outside host from this host at DMZ and it is not successful too. However, when I use the outside host to ping the mapped address 192.168.20.101, it is OK.
Below is the extract from the ASA command line :
ciscoasa(config)# sh nat
NAT policies on Interface dmz:
match ip dmz host DRMServer outside any
static translation to MapAddDMZtoOutside
translate_hits = 5, untranslate_hits = 8
whereby MapAddDMZtoOutside is 192.168.20.101 and whenever the ping is ok, the translate_hits will increase and when not ok, the untranslate_hits will increase.
May I know is it possible that to activate any command or rule so that the IP for static NAT mapped address 192.168.20.101 can be ping from DMZ and not only at outside network?
Now, this host in DMZ can only ping at outside with the mapped address. Is it only way and it shoudl be like that?
With other IP address in DMZ and Outside network, they are able to ping each other in both directions.
Thanks advance for your answer!
regards,
tangsuan
01-13-2012 12:01 AM
Hi Jcarvaja and all :
Sorry that I have to amend that in point #1 below:
1. This host at DMZ can ping host at Outside. This is different from what I said above reply.
2. The reverse that from Outside host cannot ping to this host at DMZ with 192.168.50.101. This is same as what I said above.
3. At the outside network, the mapped address (not the physical address 192.168.50.101), the mapped address 192.168.20.101 can be ping by Outside host.
Thanks and is it the case should be like that and any way that can make the physical address can make pingable?
thanks and best regarrds,
tangsuan
01-13-2012 11:06 AM
Hello Tang-suan.
1- It will not be possible to ping the private ip address from the outside, you will be able to hit just the mapped address.
2- to make it pingable from the dmz :
static (dmz,dmz) 192.168.20.101 192.168.50.101 netmask 255.255.255.255
same-security permit intra-interface
global (dmz) 1 interface
Let me know.
01-15-2012 08:16 PM
Hi Jcarvaja :
Yes..thanks when i enter the
static (dmz,dmz) 192.168.20.101 192.168.50.101 netmask 255.255.255.255
then this 192.168.20.101 can be ping also in dmz. Actually I don't need the
global (dmz)1 interface
also fine.
Is it any meaning on this?
I have some problem in Dynamic mapping and I will open another discussion forum for and this question will be closed here as you already provided the correct answer.
Many thanks!
01-15-2012 10:56 PM
Glad to know that I could help,
If I see the other request I will be more than glad to help.
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide