Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

(natting) can not ping/access outside ip from inside ip

I'm using Firewall Service module for Catalyst 6509.

I had problem to ping and access outside ip from inside ip.

For example, my pc ip is 10.1.1.5 and I cannot ping the ouside IP 115.x.x.5.

My pc has also web server. I can't access it using the public. When i open http://115.x.x.5 in my IE, error is page cannot be displayed.

Below is the config:

static (inside,outside) 110.x.x.5 10.1.1.5 netmask 255.255.255.255

FWSM Firewall Version 3.2(2) <system>

Device Manager Version 5.2(1)F

PLease help. Thank you.

4 REPLIES

Re: (natting) can not ping/access outside ip from inside ip

I'm not familiar with FWSM, but I know ASAs well.

Looking at your static NAT translation, it shows you are trying to NAT 110.x.x.5 to 10.1.1.5. In your post above, you mention 115.x.x.5. Is this a typo, or maybe that's your problem?

Also, you will need to setup the inbound access list for the outside interface to allow access to port 80 and any other services (icmp, etc.) on the external IP in order for the traffic to get through.

New Member

Re: (natting) can not ping/access outside ip from inside ip

Hi James,

It not a typo. Actually I'm host a web page on that IP. I want to access the web using the public ip 115.x.x.5 to test view my webpage.

Currently the rule is set any - any for all interfaces.

Thanks

Re: (natting) can not ping/access outside ip from inside ip

Hi Nizammuddin,

The behavior you are experiencing in both situations is actually by design.

A host behind the firewall can only ping the interface to which it is attached (as long as the proper access rules are configured). The host cannot ping an interface on the far side of the firewall.

From the documentation:

"You can ping only the closest interface. Pinging the far interface is not supported."

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/troubl_f.html#wp1061698

As for your HTTP access problem, hosts on the inside of the firewall need to access the web server by its private IP (10.1.1.5). Only hosts on the Outside interface will be able to access the web server at 110.x.x.5.

Hope that helps.

-Mike

Re: (natting) can not ping/access outside ip from inside ip

This should allow you to ping.

!

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit icmp any any time-exceeded

access-list 100 extended permit icmp any any unreachable

access-list 100 extended permit icmp any any echo

!

access-group 100 in interface outside

!

copy run start

!

!

252
Views
0
Helpful
4
Replies