The DMZ is an internal DMZ on the 172.16.5.x network we have NAT translation setup for anyone trying to access our FTP servers.

Hi,

Does every host needed to ping have a Static NAT configured on the ASA?

If yes then you just need to allow ICMP/echo on the "outside" interface ACL

In the examples will use the ACL name "OUTSIDE-IN"

THis would be configured on the ASA in the direction "in" for the interface "outside"

access-group OUTSIDE-IN in interface outside

for example

From "any" source address

access-list OUTSIDE-IN permit icmp any host echo

or

From "any" source address using the object name of the NAT (if one exists)

access-list OUTSIDE-IN permit icmp any object

From specific source address/network

access-list OUTSIDE-IN permit icmp host host echo

or

access-list OUTSIDE-IN permit icmp host echo

- Jouni

Jouni,

We have only one server and yes the object NAT rule has the 98.101.206.x pointing to the host or server 172.16.5.x

I think the answer is yes - we had a contractor setup the ASA and not sure about the configuration.

Thanks

Hi,

If you can copy the needed NAT configurations here we can check it and the needed ACLs statements for ICMP.

- Jouni

I will try to summit everything you need from the running-config

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj-172.16.5.2

host 172.16.5.2

object service FTPS

service tcp source eq 990 destination eq 989

description FTPS_DMZ_FTP_Server_11-29-12

access-list outside_access_in extended permit object FTPS any object obj-172.16.5.2

access-list outside_access_in extended permit tcp any object obj-172.16.5.2 eq ssh

access-list outside_access_in extended permit tcp any object obj-172.16.5.2 eq https

access-list outside_access_in extended permit tcp any host 172.16.5.2 eq ftp

pager lines 24

icmp unreachable rate-limit 1 burst-size 1

icmp permit host 172.16.5.2 outside

icmp permit any PCSFTP

nat (inside,outside) source dynamic any interface description PAT_Inside_Outside_on_MPLS_Circuit

!

object network obj_any

nat (PCSFTP,outside) dynamic interface

object network obj-172.16.5.2

nat (PCSFTP,outside) static 98.101.206.51

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 98.101.206.1 1

I hope this is all you need, if not please let me know

Thank you

I’m sure you are very busy, when people have experience like you they are in high demand.

We really appreciate Cisco – you for having time to help us configure our equipment, show the mistakes as we learn.

Thank you my friend – Merry Christmas.

Were you able to get it working with the above command or is there any problems?

If it doesnt work yet you might need to add the following "inspect icmp" to your configuration

Provided the configuration is pretty default on your firewall you could add this configuration. The 2 first lines are just for the firewall to move to the right configuration prompt and "inspect icmp" is the actual command/setting that will be inserted

policy-map global_policy

class inspection_default

  inspect icmp

If on the other hand you solved the problem already please rate and mark the question as answered.

EDIT: Ah you did already

EDIT2: Merry Christmas to you too. I will be doing firewall migrations around christmas, ho ho ho

- Jouni