not able to ping device behind

Randyx — Sat, 22 Feb 2020 07:35:38 GMT

Hi Guys,

Just need your assistance on this.

I'm trying to setup a GNS3 lab. Attached is the diagram.

For some reason, I'm cannot ping the devices behind the firewall.

Here are the FW config.

FW1# sh run nat
nat (INSIDE,WAN0) source dynamic any interface

FW1# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 WAN0 10.50.1.1 255.255.255.252 CONFIG
GigabitEthernet0/1 INSIDE 192.168.32.1 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 WAN0 10.50.1.1 255.255.255.252 CONFIG
GigabitEthernet0/1 INSIDE 192.168.32.1 255.255.255.0 CONFIG

FW1# sh run nat
nat (INSIDE,WAN0) source dynamic any interface

FW1# sh run access-list
access-list WAN_IN extended permit ip any any
access-list INSIDE_IN extended permit ip any any

FW1# sh run access-group
access-group WAN_IN in interface WAN0
access-group INSIDE_IN in interface INSIDE

FW1# sh run route
route WAN0 0.0.0.0 0.0.0.0 10.50.1.2 1

FW2# sh run nat
nat (INSIDE,WAN0) source dynamic any interface

FW2# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 WAN0 10.50.1.2 255.255.255.252 CONFIG
GigabitEthernet0/1 INSIDE 192.168.31.1 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 WAN0 10.50.1.2 255.255.255.252 CONFIG
GigabitEthernet0/1 INSIDE 192.168.31.1 255.255.255.0 CONFIG

FW2# sh run nat
nat (INSIDE,WAN0) source dynamic any interface

FW2# sh run access-list
access-list WAN0_IN extended permit ip any any
access-list INSIDE_IN extended permit ip any any

FW2# sh run access-group

access-group WAN0_IN in interface WAN0
access-group INSIDE_IN in interface INSIDE

FW2# sh run route
route WAN0 0.0.0.0 0.0.0.0 10.50.1.1 1

From Site1 or Site2, I can ping the other router's Outside interface.

Site2#ping 10.50.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/10/42 ms

Site1#ping 10.50.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/6 ms

However, I cannot ping each other's local subnet.

Please assist!! Thanks in Advance

Re: not able to ping device behind

Florin Barhala — Tue, 08 May 2018 11:58:17 GMT

This is happening because of the NAT statements on each FW.
Go for "no nat (INSIDE,WAN0) source dynamic any interface" and try again.

Re: not able to ping device behind

Randyx — Tue, 08 May 2018 23:43:24 GMT

Thanks for your help..that did the trick. However, are you not suppose to do NATTing in a FW to FW setup? If no, what would be the correct NAT setup on this scenario?

Re: not able to ping device behind

Florin Barhala — Wed, 09 May 2018 07:30:44 GMT

NAT is 99% used for Internet access due to private/public IP story.
Now suppose you apply Dynamic PAT for both FWs (inside interfaces) to reach Internet, then you need to configure a STATIC NAT for one destination host in the FW the host resides.

E.G.
host_A -- FW1 ---- FW2 -- host_B
You configure dynamic PAT for network_A on FW1 and network_B on FW2.
Next if you want host_A to reach host_B the most usual way would be:
- configure a site-to-site IPSEC tunnel
- configure a static NAT on FW2
- ping from host_A the public IP used in the "static NAT on FW2"

topic Re: not able to ping device behind in Network Security

not able to ping device behind

Re: not able to ping device behind

Re: not able to ping device behind

Re: not able to ping device behind