topic Re: CANNOT PING THE PUBLIC IP OF NAT'ed SERVER in Network Security

CANNOT PING THE PUBLIC IP OF NAT'ed SERVER

Jesutofunmi O — Fri, 21 Feb 2020 16:20:13 GMT

Hey Guys,

So I use an ASA FW 5515x. On this, I NAT'ed my Exchange Server out, specifying the ports also. More like a PAT. However, I am unable to ping the public IP (Outside Address) of the Exchange Server from outside. Traceroute works. Hits it. I just want to it to echo-reply. What do you guys think the problem could be please? I have disabled the Exchange firewalls.

Re: CANNOT PING THE PUBLIC IP OF NAT'ed SERVER

balaji.bandi — Tue, 09 Oct 2018 16:34:49 GMT

when you get chance . can you post the configuration and packet trace results. ?

Re: CANNOT PING THE PUBLIC IP OF NAT'ed SERVER

Rahul Govindan — Tue, 09 Oct 2018 16:41:18 GMT

Can you share the NAT and ACL config that you added for this server?

Also, why add specific ports to NAT if you want to allow ICMP?

Re: CANNOT PING THE PUBLIC IP OF NAT'ed SERVER

Jesutofunmi O — Tue, 30 Oct 2018 10:36:01 GMT

Hello Rahul/Balaji

Please see config below. My worries are two;

1. I added specific ports so as not to open all ports. However, I had tried to allow ICMP both on NAT statement and ACL bit my ASA does not give me that options. Seems to me like I'd have to change the whole config to allow all ports by NOT specifying any ports. What do you think please?

2. Because 192.168.0.7 (exchange LAN IP) is already part of a dynamic NAT, mails are going out with the IP address of my ASA's Outside interface instead of the NAT'ed public IP. To explain further, for example, my Outside interface has IP address 1.1.1.1/29, I had NAT'ed my Exchange Server (192.168.0.7) to 1.1.1.2/29. Because 192.168.0.7/24 is already part of a dynamic NAT, mails are going out via 1.1.1.1/29 and are coming in via 1.1.1.2/29. I want mails to go out through the NAT'ed IP and also come in through the NAT'ed IP

interface GigabitEthernet0/0
description ###Internet Link###
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.248

access-list ExchangeServerOutsideIn extended permit tcp any object Exchange_Server25 eq smtp
access-list ExchangeServerOutsideIn extended permit tcp any object Exchange_Server443 eq https
access-list ExchangeServerOutsideIn extended permit tcp any object Exchange_Server587 eq 587
access-list ExchangeServerOutsideIn extended permit tcp any object Exchange_Server993 eq 993
access-list ExchangeServerOutsideIn extended permit tcp any object Exchange_Server995 eq 995
access-list ExchangeServerOutsideIn extended permit tcp any object Exchange_Server995 eq pop3

object network Outside_Exchange_Server
host xx.xx.xx.xx
object network Office_5
object network Exchange_Server25
host 192.168.0.7
object network Exchange_Server443
host 192.168.0.7
object network Exchange_Server587
host 192.168.0.7
object network Exchange_Server993
host 192.168.0.7
object network Exchange_Server995
host 192.168.0.7
object network Exchange_Server110
host 192.168.0.7

object network Exchange_Server25
nat (INSIDE,outside) static Outside_Exchange_Server service tcp smtp smtp
object network Exchange_Server443
nat (INSIDE,outside) static Outside_Exchange_Server service tcp https https
object network Exchange_Server587
nat (INSIDE,outside) static Outside_Exchange_Server service tcp 587 587
object network Exchange_Server993
nat (INSIDE,outside) static Outside_Exchange_Server service tcp 993 993
object network Exchange_Server995
nat (INSIDE,outside) static Outside_Exchange_Server service tcp 995 995
object network Exchange_Server110
nat (INSIDE,outside) static Outside_Exchange_Server service tcp pop3 pop3

access-group ExchangeServerOutsideIn in interface outside

Re: CANNOT PING THE PUBLIC IP OF NAT'ed SERVER

Rahul Govindan — Thu, 18 Oct 2018 14:25:54 GMT

1) Your NAT and ACL config looks correct. However you cannot create a NAT for icmp since there are no ports that you can translate. You can do a 1-1 static NAT for your exchange server and then only allow the ports required/icmp to the server from the outside. NAT is used for translation while ACL is used to allow/block inbound requests. Your statements would be:

object network Exchange_Server
host 192.168.0.7

nat (INSIDE,outside) static Outside_Exchange_Server

access-list ExchangeServerOutsideIn extended permit tcp any object Exchange_Server eq smtp
access-list ExchangeServerOutsideIn extended permit tcp any object Exchange_Server eq https
access-list ExchangeServerOutsideIn extended permit tcp any object Exchange_Server eq 587
access-list ExchangeServerOutsideIn extended permit tcp any object Exchange_Server eq 993
access-list ExchangeServerOutsideIn extended permit tcp any object Exchange_Server eq 995
access-list ExchangeServerOutsideIn extended permit tcp any object Exchange_Server eq pop3

access-list ExchangeServerOutsideIn extended permit icmp any object Exchange_Server

2) The above should also fix this. If your dynamic NAT rules are located below your static one in order of configuration, you should be ok.

Re: CANNOT PING THE PUBLIC IP OF NAT'ed SERVER

Alex Pfeil — Tue, 30 Oct 2018 10:42:33 GMT

That is exactly what I would recommend.

Re: CANNOT PING THE PUBLIC IP OF NAT'ed SERVER

Jesutofunmi O — Thu, 01 Nov 2018 10:32:13 GMT

Hello Rahul,

Thank you so much. The two issues have been resolved by your proffered solution. One or two questions and observations

1. My static NAT is AFTER the dynamic NAT and yet the Exchange Server NAT'ed address is working. NOT the outside address of the ASA (this is what I wanted though). I am just referring to your statement (The above should also fix this. If your dynamic NAT rules are located below your static one in order of configuration).

2. After I removed the NAT statements that specified the ports and just did a single static NAT, I was able to send mails out with the NAT'ed IPas against the IP of the dynamic NAT the Exchange Server is part of.

3. It is safe to conclude that my ICMP did not work because I was trying to allow ICMP in my NAT statement instead of my Acces-list.

Thanks once again.

cheers