topic Hi in Network Security

Not getting Ping

tonysebastian — Tue, 12 Mar 2019 09:40:13 GMT

I have configured a static nat on ASA as follows

Mapped Ip Port Real IP Port
192.168.1.200 80 10.50.1.16 80
192.168.1.200 81 10.50.4.23 81
192.168.1.200 82 10.50.1.126 8080
192.168.1.200 83 10.50.1.16 83
192.168.1.200 84 10.50.4.23 83

when a user in outside zones try to ping to the mapped IP(192.168.1.200) it is not working. But natting is working as expected.

Could any one advice me how to get the ping to mapped IP ie. (192.168.1.200) from outside interface.

Regards

Tony

If you are going from low

GRANT3779 — Fri, 07 Jul 2017 12:08:27 GMT

If you are going from low security level to a higher security level you will need an ACL in place allowing the desired traffic.

If trying to ping from the inside to outside you will need inspect icmp configured.

Hi

tonysebastian — Fri, 07 Jul 2017 12:17:00 GMT

Thanks for your response

I have permitted ICMP in ACL. but still am not able to get ping.

Can you post relevant config?

GRANT3779 — Fri, 07 Jul 2017 12:20:41 GMT

Can you post relevant config? Would be helpful. Thanks

Hi Please find the

tonysebastian — Sat, 08 Jul 2017 07:24:32 GMT

Hi Please find the configuration

object network WEB_SERVER_10.50.1.16_1
host 10.50.1.16
nat(WEB_Zone,Outside) static WEBNAT_192.168.200.1 service tcp www www

object network PRI_SER
host 10.50.1.126
nat(WEB_Zone,Outside) static WEBNAT_192.168.200.1 service tcp 8080 82

object network Training
host 10.50.4.23
nat(DTB_Zone,Outside) static WEBNAT_192.168.200.1 service tcp 81 81

object network WEB_SERVER_10.50.1.16_1
host 10.50.1.16
nat(WEB_Zone,Outside) static WEBNAT_192.168.200.1 service tcp 83 83

object network Training2
host 10.50.4.23
nat(DTB_Zone,Outside) static WEBNAT_192.168.200.1 service tcp 83 84

access-group outside_access_in in interface ouside

access-list outside_access_in line 56 extended permit ip host 10.87.1.5 any (hitcnt=784) 0x6301df3a

Before I configured simple nat without port translation I was able to get ping but after this configuration am not getting Ping but applications are working

I think what you experiencing

GRANT3779 — Sat, 08 Jul 2017 07:55:53 GMT

I think what you experiencing is correct behaviour.

Also just to confirm, the address you are trying to ping is 192.168.200.1? One post mentions 1.200 and another 200.1.

I don't think you will be able to get icmp working when pinging the 192.168 address with your nat/port forwarding current setup as it is attached to a number of internal addresses on various ports.

Maybe someone else can confirm as not 100%.

You said you configured static nat previously and it worked. Was this a pure one to one static mapping? If so, then there would only be one address attached allowing it to reply to icmp.

Hi Dear

tonysebastian — Sat, 08 Jul 2017 08:05:43 GMT

Hi Dear

Sorry it is actually 192.168.200.1.

earlier it was one to one static nat as given below

object network WEB_SERVER_10.50.1.16_1
host 10.50.1.16
nat(WEB_Zone,Outside) static WEBNAT_192.168.200.1 service tcp any any

If it is an expected behaviour could you please give any documents supporting your comments.

Thanks

I am not 100% sure if this is

GRANT3779 — Sat, 08 Jul 2017 08:23:34 GMT

I am not 100% sure if this is the case but the NATs you have are for specific ports only. If you ping the 200.1 address, it is mapped to multiple different addresses / ports only. What exactly would be replying to the icmp echos when you try to ping it?

Someone else may be able to clarify or tell you if it is possible.