topic Hi Karsten in Network Security

Ping issue with NAT

tonysebastian — Tue, 12 Mar 2019 09:40:23 GMT

Dear All

In order to meet our requirements we have to configure PAT on 1 external IP addresses to two internal IP in DMZ on different TCP ports. This NAT is configured on ASA 9.1 version.

As expected all the applications are working through natting, but we are not able to ping to Mapped IP(external IP) from outside zone . So any one help me to identify is it the default behavior of ASA.

Earlier we had configured static NAT on single external IP to single internal IP without PAT in that case we used to receive ICMP reply

Regards

Tony

For this requirement, you

Karsten Iwen — Sat, 08 Jul 2017 19:12:10 GMT

For this requirement, you need a 1:1 mapping as you had before. You can't achieve this with pure port-forwarding on the ASA.

Hi Karsten

tonysebastian — Sun, 09 Jul 2017 05:34:02 GMT

Hi Karsten

Thanks for your reply.

could you please provide any supporting documents for your comments.

Regards

Tony

It's basic to how port

Marvin Rhoads — Sun, 09 Jul 2017 06:26:43 GMT

It's basic to how port forwarding and "ping" works. An incoming icmp echo request (or "ping") is neither tcp nor udp - it is icmp. As such it is not covered by your specific port forwarding NAT rule. It will either hit a more general dynamic NAT (PAT) rule or be not NATted at all, depending on the other bits of your configuration.

You can confirm the ASA works this way not only by inspection of the results (which you already have) but in more detail by using the packet-tracer utility.

Hi Marvin

tonysebastian — Sun, 09 Jul 2017 08:53:55 GMT

Hi Marvin

Thanks for your comments.

In packet tracer utility I am getting an error message as below

(nat-no-xlate-to-pat-pool)

Regards

Tony

Well there you go. The ASA

Marvin Rhoads — Sun, 09 Jul 2017 08:58:07 GMT

Well there you go. The ASA itself is confirming what Karsten said - that your PAT pool cannot handle the icmp traffic.