Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Ping other public IP

Hi

I have ASA 5510 with public IP 110.x.x.50/29

ADSL modem is 110.x.x.49

ASA Outside interface is 110..x.x.50

Internal is 10.1.12.x/24

---

110.x.x.51 is map to server 10.1.12.1

110.x.x.52 is map to server 10.1.12.2

Firewall is working fine as well as static NAT from the Outside.

 

My question, 

from outside (external)  I can ping to Outside interface 110..x.x.50

but how can i able to ping the other public IP (110..x.x.51 and 110..x.x.52) from external???

currently I'm not able to ping it

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

In your first post you say

In your first post you say that the private IP is mapped, but in your config you only map specific ports to the outside interface. With that, you can't reach the internal server with a ping. You need to also map icmp the same way as you do for RDP. That is typically done by mapping the whole IP and not just  the service.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
14 REPLIES
VIP Purple

You have to:Allow icmp/echo

You have to:

  1. Allow icmp/echo on the outside ACL to your servers.
  2. Configure the ASA to treat ICMP as stateful:

policy-map global_policy
 class inspection_default
  inspect icmp

 


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

i have apply above config,

i have apply above config, but still i can't ping the other public IP.

VIP Green

Do you have an ACL entry on

Do you have an ACL entry on the outside interface permitting ICMP to those specific addresses (or to any for that matter)?

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer

Hi all,below is my config ASA

Hi all,

below is my config ASA.

=========================

ASA Version 9.1(2) 
!
hostname ASHFW01
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 110.x.x.50 255.255.255.248 
!
interface GigabitEthernet0/1
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet0/1.1
 vlan 12
 nameif VLAN12
 security-level 100
 ip address 10.1.12.254 255.255.255.0 
!
interface GigabitEthernet0/1.2
 vlan 20
 nameif VLAN20
 security-level 100
 ip address 10.1.20.254 255.255.255.0 
!
interface GigabitEthernet0/1.3
 vlan 30
 nameif VLAN30
 security-level 100
 ip address 10.1.30.254 255.255.255.0 
!
interface GigabitEthernet0/1.4
 vlan 50
 nameif VLAN50
 security-level 100
 ip address 10.1.50.254 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
ftp mode passive
dns domain-lookup VLAN12
dns domain-lookup VLAN20
dns domain-lookup VLAN30
dns domain-lookup VLAN50
dns server-group DefaultDNS
 name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network TerminalServer
 host 10.1.12.13
object service smtp
 service tcp source eq smtp destination eq smtp 
object service smtps
 service tcp source eq 587 destination eq 587 
object network Exch-SMTP
 host 10.1.20.2
object network Exch-POP3
 host 10.1.20.2
object network Exch-SMTPS
 host 10.1.20.2
object network ExchServer
 host 10.1.20.2
object network MgmtSvr
 host 10.1.12.30
object network Exch-SMTP1
 host 10.1.20.2
object network Exch-HTTP
 host 10.1.20.2
object network Portal
 host 10.1.12.14
 description Portal
object service Portal80
 service tcp source eq www destination eq www 
 description Portal80
object network SalesMobile
 host 10.1.12.14
 description SalesMobile
object service SalesMobile9090
 service tcp source eq 9090 destination eq 9090 
 description SalesMobile9090
object-group service rdp tcp
 port-object eq 3389
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended permit tcp any object MgmtSvr object-group rdp 
access-list outside_access_in extended permit tcp any object TerminalServer object-group rdp 
access-list outside_access_in extended permit tcp any object ExchServer object-group rdp 
access-list outside_access_in extended permit tcp any object ExchServer eq www 
access-list outside_access_in extended permit tcp any object ExchServer eq https 
access-list outside_access_in extended permit tcp any object ExchServer eq smtp 
access-list outside_access_in extended permit tcp any object ExchServer eq 587 
access-list outside_access_in extended permit tcp any object ExchServer eq pop3 
access-list outside_access_in extended permit tcp any object Portal eq www 
access-list outside_access_in extended permit tcp any object SalesMobile eq 9090 
access-list outside_access_in extended deny ip any any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu VLAN12 1500
mtu VLAN20 1500
mtu VLAN30 1500
mtu VLAN50 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any VLAN12
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network TerminalServer
 nat (VLAN12,outside) static 110.x.x.51 service tcp 3389 3389 
object network Exch-SMTP
 nat (VLAN20,outside) static 110.x.x.52 service tcp smtp smtp 
object network Exch-POP3
 nat (VLAN20,outside) static 110.x.x.52 service tcp https https 
object network Exch-SMTPS
 nat (VLAN20,outside) static 110.x.x.52 service tcp 587 587 
object network ExchServer
 nat (VLAN20,outside) static 110.x.x.52 service tcp 3389 3389 
object network MgmtSvr
 nat (VLAN12,outside) static 110.x.x.53 service tcp 3389 3389 
object network Exch-SMTP1
 nat (VLAN20,outside) static 110.x.x.52 service tcp pop3 pop3 
object network Exch-HTTP
 nat (VLAN20,outside) static 110.x.x.52 service tcp www www 
object network Portal
 nat (VLAN12,outside) static 110.x.x.51 service tcp www www 
object network SalesMobile
 nat (VLAN12,outside) static 110.x.x.51 service tcp 9090 9090 
!
nat (any,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 110.x.x.49 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 4348
http 192.168.1.0 255.255.255.0 management
http 10.1.12.0 255.255.255.0 VLAN12
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 0.0.0.0 0.0.0.0 VLAN12
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username necare password BkPn6VQ0VwTy7MY7 encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:4551a847aa860ec2126b9ed1ea6c641f
: end

 

VIP Green

Please add the following

Please add the following entry to the top of your outside_access_in ACL and then test.

access-list outside_access_in extended permit icmp any any

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer

Hi all, already apply above

Hi all, already apply above config but still unable to ping the other public ip.

Is it possible anyway to ping??

===============

access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit tcp any object MgmtSvr object-group rdp 
access-list outside_access_in extended permit tcp any object TerminalServer object-group rdp 
access-list outside_access_in extended permit tcp any object ExchServer object-group rdp 
access-list outside_access_in extended permit tcp any object ExchServer eq www 
access-list outside_access_in extended permit tcp any object ExchServer eq https 
access-list outside_access_in extended permit tcp any object ExchServer eq smtp 
access-list outside_access_in extended permit tcp any object ExchServer eq 587 
access-list outside_access_in extended permit tcp any object ExchServer eq pop3 
access-list outside_access_in extended permit tcp any object Portal eq www 
access-list outside_access_in extended permit tcp any object SalesMobile eq 9090 
access-list outside_access_in extended deny ip any any 

 

VIP Green

Have you followed Karsten's

Have you followed Karsten's suggestion by turning off the windows firewall or any other software firewall installed on the servers/PCs when testing?

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer

Yes, my PC itself is firewall

Yes, my PC itself is firewall disable.

No other software firewall install.

 

VIP Green

not your PC, the firewall on

not your PC, the firewall on the PC you are trying to ping needs to be either turned off, or configure to allow ICMP.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer

Hi,You mean below server, 

Hi,

You mean below server,  below server firewall is turned off.

But i just need to ping the public IP??

=====================

object network TerminalServer
 host 10.1.12.13
object network ExchServer
 host 10.1.20.2
object network MgmtSvr
 host 10.1.12.30

=======================

object network TerminalServer
 nat (VLAN12,outside) static 110.x.x.51 service tcp 3389 3389 
object network ExchServer
 nat (VLAN20,outside) static 110.x.x.52 service tcp 3389 3389 
object network MgmtSvr
 nat (VLAN12,outside) static 110.x.x.53 service tcp 3389 3389 

=======================

VIP Green

when you ping 110.x.x.51 (for

when you ping 110.x.x.51 (for example) do you see any drop logs in the realtime event viewer on the ASA?

If you do not see any drop logs, could you set up a packet capture for one of the servers on the ASA, perhaps this will tell us what is happening.

access-list CAPIN permit ip host 10.1.12.13 any eq echo
access-list CAPIN permit ip host 10.1.12.13 any eq echo-reply

access-list CAPOUT permit ip any host 110.x.x.51 eq echo
access-list CAPOUT permit ip any host 110.x.x.51 eq echo-reply

capture INSIDE_CAP interface VLAN12 access-list CAPIN

capture OUTSIDE_CAP interface outside access-list CAPOUT

show capture INSIDE_CAP

show capture OUTSIDE_CAP

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
VIP Purple

In your first post you say

In your first post you say that the private IP is mapped, but in your config you only map specific ports to the outside interface. With that, you can't reach the internal server with a ping. You need to also map icmp the same way as you do for RDP. That is typically done by mapping the whole IP and not just  the service.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Ok thank you. Problem

Ok thank you. Problem resolved. Map the whole IP. That it.

VIP Purple

Please show your actual ASA

Please show your actual ASA config. And doouble-check that you don't block Pings on the internal host with a host-firewall.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
65
Views
0
Helpful
14
Replies
CreatePlease to create content