cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3312
Views
0
Helpful
2
Replies

ASA 5505 - Cannot ping outside natted interface

amrinw1133
Level 1
Level 1

Hello,

I have a Cisco ASA 5505, the problem is I am not able to ping to outside natted interface (ip: 172.88.188.123 and 124 and 125) from inside network

Could someone help me to resolve this? I have looked for ASA documentation through the internet and still got nothing.

Thank you in advance

the config are:

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

domain-name domain

enable password ********** encrypted

passwd ************ encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 172.88.188.122 255.255.255.248

!

interface Vlan3

no forward interface Vlan2

nameif backup

security-level 0

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name domain

same-security-traffic permit intra-interface

access-list outside_in extended permit tcp any host 172.88.188.123 eq smtp

access-list outside_in extended permit tcp any host 172.88.188.123 eq pop3

access-list outside_in extended permit tcp any host 172.88.188.123 eq www

access-list outside_in extended permit icmp any any

access-list outside_in extended permit icmp any any echo-reply

access-list inside_out extended permit tcp 192.168.1.0 255.255.255.0 any

access-list inside_out extended permit udp 192.168.1.0 255.255.255.0 any

access-list inside_out extended permit icmp any any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu backup 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (outside) 1 172.88.188.128

nat (inside) 1 192.168.1.0 255.255.255.0

static (inside,outside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255

static (inside,outside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255

static (inside,outside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 172.88.188.121 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 1048575

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.200 inside

dhcpd dns 8.8.8.8 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:865943aa325eb75812628fec3b1e7249

: end

1 Accepted Solution

Accepted Solutions

acomiskey
Level 10
Level 10

You are looking for this. 2 options, dns doctoring, or hairpinning (2nd part of document.) Post back if you need help setting it up.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Hairpinning would look like this in your scenario.

same-security-traffic permit intra-interface

global (inside) 1 interface

static (inside,inside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255

static (inside,inside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255

static (inside,inside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255

View solution in original post

2 Replies 2

acomiskey
Level 10
Level 10

You are looking for this. 2 options, dns doctoring, or hairpinning (2nd part of document.) Post back if you need help setting it up.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Hairpinning would look like this in your scenario.

same-security-traffic permit intra-interface

global (inside) 1 interface

static (inside,inside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255

static (inside,inside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255

static (inside,inside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255

Hi Acommiskey,

It works !!! I use hairpinning and it works.

Thanks a lot, you just saved my day

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: