ICMP with NAT

phusion2k — Tue, 12 Mar 2019 02:16:41 GMT

I am new to using ASA firewalls so what might be considered a basic question which is how can I configure the firewall to permit/allow pinging the differnet public IP addresses. I have it already set so I can ping the WAN interface on the ASA and it replies, but not the other public IP address.

The firewall is a 5505 running 9.1(2) with a base license. I've read that there have been changes to how NAT works after 8.3. Here is what I currently have.

* WAN IP addresses are not the real ones being used

WAN IP for firewall: 100.125.150.218

LAN IP for firewall: 192.168.1.1

WAN IP for server: 100.125.150.161

LAN IP for server: 192.168.1.21

----------

asa# sh config

: Saved

: Written by enable_15 at 15:35:55.329 CDT Wed Jul 24 2013

ASA Version 9.1(2)

hostname asa

domain-name test.com

enable password ******** encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd ******** encrypted

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

description LAN interface

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

description WAN interface

nameif outside

security-level 0

ip address 100.125.150.218 255.255.255.252

boot system disk0:/asa912-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name test.com

object network server

host 192.168.1.21

object network server-SPAT

host 192.168.1.21

object-group network obj_any

access-list INTERNET_TO_INSIDE extended permit tcp any4 object server eq 3389

access-list INTERNET_TO_INSIDE extended permit icmp any4 object server echo

access-list INTERNET_TO_INSIDE extended permit icmp any4 any4 echo

access-list INSIDE_TO_INTERNET extended permit ip any4 any4

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

object network server

nat (inside,outside) dynamic 100.125.150.161

object network server-SPAT

nat (inside,outside) static 100.125.150.161 service tcp 3389 3389

nat (inside,outside) after-auto source dynamic any interface

access-group INTERNET_TO_INSIDE in interface outside

route outside 0.0.0.0 0.0.0.0 100.125.150.217 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect icmp

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

class class-default

set connection decrement-ttl

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

password encryption aes

Cryptochecksum:51694d9dd562042b39b272c2eba831d3

----------

Any help would be appreciated.

Re: ICMP with NAT

Jouni Forss — Wed, 24 Jul 2013 21:41:00 GMT

Hi,

You have the following NAT configurations in addition to the Dynamic PAT for all LAN users

object network server

host 192.168.1.21

nat (inside,outside) dynamic 100.125.150.161

object network server-SPAT

host 192.168.1.21

nat (inside,outside) static 100.125.150.161 service tcp 3389 3389

I would suggest that you remove both of these.

The first NAT configuration is a Dynamic PAT. So it only enables initiating connections from the LAN to the WAN.

The second NAT configuration is a Static PAT that only forward a single port using the same public IP address as the first one.

If you actually have spare public IP addresses to dedicate for your server then your NAT configuration should be a single Static NAT for this server.

object network SERVER

host 192.168.1.21

nat (inside,outside) static 100.125.150.161

And then allow the services from the WAN that you require. For example ICMP and TCP/3389 using the above "object network" name as the destination.

- Jouni

ICMP with NAT

phusion2k — Thu, 25 Jul 2013 17:06:10 GMT

That worked! Thanks for your help regarding this. I also appreciate you explaining about the NAT statements I had with one being for dynamic PAT and the other for static PAT.

Thanks again.

topic ICMP with NAT in Network Security

ICMP with NAT

Re: ICMP with NAT

ICMP with NAT