Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unable to ping NAT-ed IP address.

Hi, have following setup on ASA 5520:

Internal LAN (1.1.1.1) on g0/1

DMZ LAN (2.2.2.2) on g0/2

Outside interface (3.3.3.3) on g0/0

Static NAT map 2.2.2.2 to 192.168.1.1, on server running web services

From internal LAN I can access Internet, from internal LAN I can ping server on DMZ using internal IP address of 2.2.2.2

From Internet I can access web services on 192.168.1.1

From DMZ I can access internet;

Setup acl to allow traffic from DMZ to reach server at internal LAN (works ok).

Problem: From internal LAN, I cannot communicate to web server if I am using NAT-ed ip address of 192.168.1.1.

From internal LAN's ip of 1.1.1.2 I cannot ping to 192.168.1.1

From internal LAN's ip of 1.1.1.2 I can ping to 2.2.2.2

What am I missing? Thank you all in advance.

3 REPLIES
New Member

Re: Unable to ping NAT-ed IP address.

From internal lan you can't using public ip

New Member

Re: Unable to ping NAT-ed IP address.

Sorry bro, it will never work that way.

You are not allowed to access from Internal to the DMZ servers via the NATed addresses.

ASA will just drop the packet after looking at the destination IP in the header because it didn't expect it to be coming from internal LAN.

Which is why when you are internal, you must use the internal IP 2.2.2.2 instead.

New Member

Re: Unable to ping NAT-ed IP address.

Thank you all fo responces. Appreciated.

594
Views
0
Helpful
3
Replies