cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1590
Views
0
Helpful
19
Replies
Contributor

Allow ICMP with PAT

From what I've read, what I would like to accomplish isn't possible.

We have 5 static IPs. 4 for servers and 1 for the firewall. I can ping the firewall fine from the outside but can't ping the other 4 IPs. Doesn't sound like its possible to configure this since ICMP doesn't use ports and the firewall wouldn't know how to route ICMP traffic to the different IPs.

Can anyone else confirm this?

Thanks!

Sent from Cisco Technical Support iPhone App

19 REPLIES 19
Cisco Employee

Allow ICMP with PAT

Have you configured the static NAT statement for the servers yet?

Also, have you allowed ICMP on your outside interface for those 4 static IP Addresses?

You would be able to ping once you have the above 2 configured.

Contributor

Re: Allow ICMP with PAT

I have ICMP enabled on my router public IP and can ping that fine.

And I've configured the static NAT for my servers. For example... Public IP 96.249.40.100 (not my real ip) on port 80 maps to 192168.1.100 on port 80.

Not sure how I'd allow ICMP through to 96.249.40.100....

Sent from Cisco Technical Support iPhone App

Cisco Employee

Re: Allow ICMP with PAT

Do you have access-list applied to your outside interface? You should add "permit icmp" for those addresses that you want to ping.

Beginner

Re: Allow ICMP with PAT

If outsidein is the access list applied on your outside interface.

access-list outsidein extended permit icmp any (public_ip) echo-reply
access-list outsidein extended permit icmp any (public_ip) echo
access-group outsidein in interface outside

Note:-For version upto 8.2

You would be able to ping.

Contributor

Re: Allow ICMP with PAT

I have the following in my access list:

     access-list outside_access_in_1 remark Allow ICMP traffic

     access-list outside_access_in_1 extended permit icmp any any echo-reply

     access-list outside_access_in_1 extended permit icmp any any unreachable

     access-list outside_access_in_1 extended permit icmp any any time-exceeded

And that is applied to my outside interface inbound...

     access-group outside_access_in_1 in interface primaryisp

Here is one of my NAT rules which...

    object network asp-wss-3-http-vz

          nat (inside,primaryisp) static 96.249.40.100 service tcp www www

Do I need to specifically allow ICMP to asp-wss-3-http-vz or to 96.249.40.100?

Thanks for the help!

Cisco Employee

Re: Allow ICMP with PAT

The ICMP type that you would need to permit is "echo" and that has not been included in the access-list.

Please add the following:

access-list outside_access_in_1 extended permit icmp any any echo

and you don't need to specifically allow icmp to the host/ip address.

Contributor

Re: Allow ICMP with PAT

So I added that but I still cannot ping anything except the IP of the actual router IP.

     access-list outside_access_in_1 remark Allow ICMP traffic

     access-list outside_access_in_1 extended permit icmp any any echo

     access-list outside_access_in_1 extended permit icmp any any echo-reply

     access-list outside_access_in_1 extended permit icmp any any unreachable

     access-list outside_access_in_1 extended permit icmp any any time-exceeded

Here is my ASDM log when I try to ping it...

3Jun 13 201209:31:29
96.249.40.18
96.249.40.10
Deny inbound icmp src primaryisp:96.249.40.18 dst primaryisp:96.249.40.10 (type 8, code 0)
Cisco Employee

Re: Allow ICMP with PAT

Is 96.249.40.10 "primaryisp" interface ip address?

Contributor

Re: Allow ICMP with PAT

No, the primaryisp interface is 96.249.40.14.  The 4 other IPs that I want to get ICMP relies from are .10 - .13.  I'm using PAT for various services (http, https, etc) on those other 4 IPs.

Cisco Employee

Re: Allow ICMP with PAT

Also need the following NAT:

object service ping

        service icmp echo

object network asp-wss-3-http-vz-ping

          host

          nat (inside,primaryisp) static 96.249.40.10 service ping ping

Contributor

Re: Allow ICMP with PAT

nat (inside,primaryisp) static 96.249.40.10 service ping ping

                                                                             ^

ERROR: % Invalid input detected at '^' marker.

Highlighted
Contributor

Re: Allow ICMP with PAT

Bump!  Anyone suggestions on this would be appreciated!

Beginner

Re: Allow ICMP with PAT

Are you able to staticlly nat a single IP address with all ports to a local IP address or do you only want to nat icmp?

Cisco Employee

Re: Allow ICMP with PAT

Did you configure all the 5 lines advised earlier? or just 1 line?

object service ping

        service icmp echo

object network asp-wss-3-http-vz-ping

          host

          nat (inside,primaryisp) static 96.249.40.10 service ping ping