09-20-2013 04:07 AM - edited 03-04-2019 09:06 PM
Hello There,
i just configured our new asa 5515 with IPS software. Configuration is working fine.The only missing thing is that outside IPs (not outsides ip itself) are not pingable any more. Our provider has the following ips reserved for us:
217.7.X.X 255.255.255.248
80.149.X.X 255.255.255.240
ASA Version 8.6(1)2
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 217.7.X.X 255.255.255.248
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 10.1.X.X 255.255.X.X
!
nat (DMZ1,outside) source static DMZ1_16 EXT_80.149.X.X service tcp_http tcp_http
access-list outside_access_in extended permit tcp any object DMZ1_16 eq www
As said above everything is running, but how do i set (maybe physically) the remaining public IPs, and how do i make them pingable?
thanks for guidance
regards
Jens Holtappels
09-20-2013 11:45 AM
You are only permitting tcp/80 to pass through the ASA. You just need to set up the ASA to permit ICMP to the host you want to respond.
You should probably restrict to the specific ICMP types you want to allow, like echo request only.
09-20-2013 01:39 PM
Hi robert,
Thanks for your reply. One more question about it. The nat rule is only translating the www traffic. Is it enough to allow icmp according to that nat rule. Or do i have to do some more Configuration? As i understand the books, i need a "any nat" rule, due to icmp traffic can not be translated.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide