Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3496
Views
0
Helpful
19
Replies

Allow ICMP with PAT

mtehonica
Level 5
Level 5

‎06-12-2012 07:42 PM - edited ‎03-11-2019 04:18 PM

From what I've read, what I would like to accomplish isn't possible.

We have 5 static IPs. 4 for servers and 1 for the firewall. I can ping the firewall fine from the outside but can't ping the other 4 IPs. Doesn't sound like its possible to configure this since ICMP doesn't use ports and the firewall wouldn't know how to route ICMP traffic to the different IPs.

Can anyone else confirm this?

Thanks!

Sent from Cisco Technical Support iPhone App

Labels:
0 Helpful
19 Replies 19

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-12-2012 07:59 PM

Have you configured the static NAT statement for the servers yet?

Also, have you allowed ICMP on your outside interface for those 4 static IP Addresses?

You would be able to ping once you have the above 2 configured.

0 Helpful

mtehonica
Level 5
Level 5

‎06-12-2012 08:07 PM

I have ICMP enabled on my router public IP and can ping that fine.

And I've configured the static NAT for my servers. For example... Public IP 96.249.40.100 (not my real ip) on port 80 maps to 192168.1.100 on port 80.

Not sure how I'd allow ICMP through to 96.249.40.100....

Sent from Cisco Technical Support iPhone App

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to mtehonica

‎06-12-2012 08:16 PM

Do you have access-list applied to your outside interface? You should add "permit icmp" for those addresses that you want to ping.

0 Helpful

gouravbathla
Level 1
Level 1
In response to Jennifer Halim

‎06-12-2012 10:33 PM

If outsidein is the access list applied on your outside interface.

access-list outsidein extended permit icmp any (public_ip) echo-reply
access-list outsidein extended permit icmp any (public_ip) echo
access-group outsidein in interface outside

Note:-For version upto 8.2

You would be able to ping.

0 Helpful

mtehonica
Level 5
Level 5
In response to gouravbathla

‎06-13-2012 05:17 AM

I have the following in my access list:

     access-list outside_access_in_1 remark Allow ICMP traffic

     access-list outside_access_in_1 extended permit icmp any any echo-reply

     access-list outside_access_in_1 extended permit icmp any any unreachable

     access-list outside_access_in_1 extended permit icmp any any time-exceeded

And that is applied to my outside interface inbound...

     access-group outside_access_in_1 in interface primaryisp

Here is one of my NAT rules which...

    object network asp-wss-3-http-vz

          nat (inside,primaryisp) static 96.249.40.100 service tcp www www

Do I need to specifically allow ICMP to asp-wss-3-http-vz or to 96.249.40.100?

Thanks for the help!

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to mtehonica

‎06-13-2012 06:16 AM

The ICMP type that you would need to permit is "echo" and that has not been included in the access-list.

Please add the following:

access-list outside_access_in_1 extended permit icmp any any echo

and you don't need to specifically allow icmp to the host/ip address.

0 Helpful

mtehonica
Level 5
Level 5
In response to Jennifer Halim

‎06-13-2012 06:32 AM

So I added that but I still cannot ping anything except the IP of the actual router IP.

     access-list outside_access_in_1 remark Allow ICMP traffic

     access-list outside_access_in_1 extended permit icmp any any echo

     access-list outside_access_in_1 extended permit icmp any any echo-reply

     access-list outside_access_in_1 extended permit icmp any any unreachable

     access-list outside_access_in_1 extended permit icmp any any time-exceeded

Here is my ASDM log when I try to ping it...

3Jun 13 201209:31:29
96.249.40.18
96.249.40.10
Deny inbound icmp src primaryisp:96.249.40.18 dst primaryisp:96.249.40.10 (type 8, code 0)
0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to mtehonica

‎06-13-2012 06:37 AM

Is 96.249.40.10 "primaryisp" interface ip address?

0 Helpful

mtehonica
Level 5
Level 5
In response to Jennifer Halim

‎06-13-2012 06:40 AM

No, the primaryisp interface is 96.249.40.14.  The 4 other IPs that I want to get ICMP relies from are .10 - .13.  I'm using PAT for various services (http, https, etc) on those other 4 IPs.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to mtehonica

‎06-13-2012 06:56 AM

Also need the following NAT:

object service ping

        service icmp echo

object network asp-wss-3-http-vz-ping

          host

          nat (inside,primaryisp) static 96.249.40.10 service ping ping

0 Helpful

mtehonica
Level 5
Level 5
In response to Jennifer Halim

‎06-13-2012 07:14 AM

nat (inside,primaryisp) static 96.249.40.10 service ping ping

                                                                             ^

ERROR: % Invalid input detected at '^' marker.

0 Helpful

mtehonica
Level 5
Level 5

‎06-13-2012 11:51 AM

Bump!  Anyone suggestions on this would be appreciated!

0 Helpful

John Peterson
Level 1
Level 1
In response to mtehonica

‎06-13-2012 02:30 PM

Are you able to staticlly nat a single IP address with all ports to a local IP address or do you only want to nat icmp?

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to mtehonica

‎06-13-2012 08:49 PM

Did you configure all the 5 lines advised earlier? or just 1 line?

object service ping

        service icmp echo

object network asp-wss-3-http-vz-ping

          host

          nat (inside,primaryisp) static 96.249.40.10 service ping ping

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card