topic Try removing the "no proxy in Network Security

Problems pinging host while using policy NAT

Colin Higgins — Tue, 12 Mar 2019 06:38:57 GMT

I have two firewalls and a host I am trying to ping from one firewall through the other (both ASAs). I can't ping the host when using policy nat.

A simple topology looks like this

ASA1-----172.25.91.160 /27------ASA2--------host 172.25.92.73

The interfaces on the 172.25.91.160 /27 network are called "SOS". The interface where the host 172.25.92.73 resides is called "ASA-TRANS"

icmp is allowed on the firewall interfaces like so.

icmp permit any SOS

icmp permit any echo-reply SOS

I set up objects and then a policy NAT on ASA2 like so

nat (ASA-TRANS,SOS) source static obj-172.25.92.73 obj-172.25.91.172 destination static obj-172.25.91.161 obj-172.25.91.161 no-proxy-arp

so the internal host appears as if it is on the 172.25.91.160 /27 network.

I then created an ACL on the SOS interface allowing icmp echo/echo-reply on the SOS interface from anywhere.

Both SOS interfaces are set to security level 50

When I try to ping from ASA1, the firewall never even attempts to contact 172.25.91.172. It immediately bombs out with no log message. Just question marks.

When I ping from the internal host 172.25.92.73 to ASA1 at 172.25.91.161, I see the icmp echo packets hit the SOS interface, but nothing is going back. Again, the firewall won't respond to the host, even though icmp is enabled on the interface. I even put a permissive ACL on the firewall interface allowing everything, but no reply.

If I go into ASDM and do a packet trace, it tells me the packet should be allowed without any issues. If I configure other hosts using traditional NAT (not policy), I have problem pinging through ASA2.

Is there something wrong with this policy nat? Some reason firewall ASA1 can't see the host?

Try removing the "no proxy

Jon Marshall — Fri, 25 Sep 2015 00:12:19 GMT

Try removing the "no proxy-arp" from your NAT statement.

Because the internal host is presented on the same subnet as is being used between the firewalls ASA1 will send an arp for the 172.25.91.172 IP address and you are relying on ASA2 to respond to that arp.

If you were using a different IP subnet to present internal devices ie. not the one used between the ASAs, then you would simply have a route on ASA1 for that IP subnet pointing to the outside interface of ASA2 and then you could use "no proxy-arp" in your NAT statement because ASA1 would not be sending an arp for that IP address, it would simply route the traffic to ASA2.

Jon

That was it Jon:thanks! You

Colin Higgins — Fri, 25 Sep 2015 00:43:50 GMT

That was it Jon:

thanks! You saved me a huge amount of headache. I was banging away at this in totally different direction (looking at the IPS, etc.)