Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
820
Views
0
Helpful
7
Replies

Ping and NAT

thundercisco
Level 1
Level 1

‎11-22-2010 05:26 AM - edited ‎03-11-2019 12:12 PM

Hi Folks,

I am having issue with pinging from one server on inside (Security level 100) to other subinterface (Security level 60). Server which is pinging is 10.74.20.56 and it is pinging to destination 10.128.4.33. and this 10.128.4.33 is natted to 192.168.14.131 (Destination NATing).

I have allowed icmp(1), snmp,snmp-trap,syslog towards 10.74.20.56.

Here is some of the config:

object-group service SOLARWINDS_ACCESS
description ech
service-object icmp
service-object udp eq snmp
service-object udp eq snmptrap
service-object udp eq syslog

access-list Inside_access_in remark ***Allow All Traffic from Inside ***
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in remark *** TEST ACE ***
access-list Inside_access_in extended deny ip any any
access-list TUNN_INT_access_in remark *** Allow access to Solarwinds ***
access-list TUNN_INT_access_in extended permit object-group SOLARWINDS_ACCESS 10.128.3.0 255.255.255.0 host SOLARWINDS
access-list TUNN_INT_access_in remark *** Allow all traffic***
access-list TUNN_INT_access_in extended permit ip any host SOLARWINDS
access-list UPS_INT_access_in remark *** Allow PING to Solarwinds  ****
access-list UPS_INT_access_in extended permit icmp 192.168.14.0 255.255.255.0 host SOLARWINDS object-group ICMP-TRAFF
access-list UPS_INT_access_in remark *** Allow All Traffic ***
access-list UPS_INT_access_in extended permit object-group SOLARWINDS_ACCESS 192.168.14.0 255.255.255.0 host SOLARWINDS
access-list MGT_iDIRECT_access_in remark *** Allow  access to Solarwinds ***
access-list MGT_iDIRECT_access_in extended permit object-group SOLARWINDS_ACCESS 10.128.4.0 255.255.255.0 host SOLARWINDS
access-list MGT_iDIRECT_access_in remark *** Allow all access to Solarwinds ***
access-list MGT_iDIRECT_access_in extended permit ip 10.128.4.0 255.255.255.0 host SOLARWINDS inactive
access-list MGT_iDIRECT_access_in remark *** Deny access to all unknown traffic ***
access-list MGT_iDIRECT_access_in extended permit ip any any
access-list PERMIT_ICMP extended permit icmp any object-group NMS-SRV object-group ICMP-TRAFF log
access-list Solarwinds_NMS1 extended permit ip host NMS1 host SOLARWINDS
access-list Solarwinds_NMS2 extended permit ip host NMS2 host SOLARWINDS
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
no asdm history enable
static (UPS_INT,Inside) 10.128.4.34  access-list Solarwinds_NMS2
static (UPS_INT,Inside) 10.128.4.33  access-list Solarwinds_NMS1
access-group MGT_iDIRECT_access_in in interface MGT_iDIRECT
access-group UPS_INT_access_in in interface UPS_INT
access-group TUNN_INT_access_in in interface TUNN_INT
access-group Inside_access_in in interface Inside

As far as documentation, i should be able to ping it as i am pining from higer to lower level and return traffic is allowed

Please suggest


Labels:
0 Helpful
7 Replies 7

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎11-22-2010 07:31 AM

Hi,

When traffic comes from a higher security interface to a lower security interface, the replies are allowed for TCP/UDP traffic.

In case of ICMP, it has to be either allowed by an ACL or inspected.

Check to make sure that the ACL applied to the lower security interface permits the ICMP echo-replies or that ICMP is being inspected by the service-policy to allow the return packets back.

Federico.

0 Helpful

thundercisco
Level 1
Level 1
In response to Federico Coto Fajardo

‎11-24-2010 12:01 AM

Hi,

Thnx for response, but problem is that when state inpection is enable it will add original address in statetable and return traffic will not match this state entry and will be denied. e.g

lets say ping source is 10.47.20.56 and destination is 10.128.4.33 and when packet hit interface , entry will be made to state table. and then destination address will be natted to 192.168.14.131, because i am having destination nat enable,. When packet returns back then source will be 192.168.14.131 and destination will be 10.47.20.56 and when this entry will not match to state entry it will be denied

Please suggest

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to thundercisco

‎11-24-2010 02:58 AM

Hi,

do some nat exemption for echo-replies to your server.

Regards.

Don't forget to rate helpful posts.
0 Helpful

thundercisco
Level 1
Level 1
In response to cadet alain

‎11-24-2010 03:30 AM

Hi,

Please elaborate.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to thundercisco

‎11-24-2010 06:44 AM

Example:

nat (inside) 0 access-list no_nat : nat 0 is nat exemption and the ACL tells
 which traffic to exempt from nat.
Don't forget to rate helpful posts.
0 Helpful

thundercisco
Level 1
Level 1
In response to cadet alain

‎11-24-2010 06:49 AM

But lets say if issue nat (0) for traffic coming from inside then i

will no be able to rach my servers, as servers real ip address is 192.168.14.131 and this address not reachable from inside.

So i will have to NAT this is the reason i did destination nat. Source 10.47.20.56 dest 10.128.4.33 and when packet arrives this way then destination will be NATed to 192.168.14.131. It will reach the destination i could see it capture, but on the way back they are dropped. I

0 Helpful

thundercisco
Level 1
Level 1
In response to thundercisco

‎11-26-2010 10:41 AM

Problem is fixed, i found that packet coming back was  coming on different interface than orignating. so ifixed routing and problem solved

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card