Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1840
Views
0
Helpful
6
Replies

ASA 5510 / PAT / ICMP echo outgoing IP

Go to solution
pronin_sergey
Level 1
Level 1

‎04-17-2013 06:09 AM - edited ‎03-11-2019 06:30 PM

Hello guys,

I have ASA 5510 with soft version 8.4(5) installed.

There are two interfaces:

IP 1.1.1.1/24 - inside

IP 2.2.2.1/24 - outside

I have configured PAT, so network 1.1.1.0/24 gets NATted to 2.2.2.2 address. Everything works fine, except I can't reach 2.2.2.2 via ICMP from the internet.

X.X.X.X 2.2.2.2 Deny inbound icmp src OUTSIDE:X.X.X.X dst OUTSIDE:2.2.2.2 (type 8, code 0)

But I have configured an access list allowing ICMP from any to any:

access-list outside_access_in extended permit icmp any any

Thus address 2.2.2.1, which is binded to outside interface itself, is perfectly reachable via ICMP.

I've got two questions:

1) Is there a way to fix it? It will be handy for diagnostic purposes.

2) is it possible to configure the secondary IP address on the interface on ASA? I've read, that there are some complications.

--

Regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to pronin_sergey

‎04-17-2013 06:24 AM

Hi,

Any ASA interface holds only a single IP address.

Rest of the IP addresses from that same network can only exist as IP address used in the NAT configurations.

- Jouni

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-17-2013 06:15 AM

Hi,

If you are talking about Dynamic PAT then you cant ping that IP address. This is because the public IP address is shared by all the defined hosts on the internal network and therefore the ASA doesnt really have anywhere to forward the ICMP Echo.

The "outside" interface will naturally answer to ICMP as the IP address is configured directly on the interface.

Also you can use a secondary address range on the ASA as NAT IP addresses. Though you dont configure those addresses under the interface. You only configure them with the NAT configurations.

In your software you will also have to issue the global configuration "arp permit-nonconnected" to use the secondary address range if the ISP has configured that address range directly in their upstream router interface along with the existing primary address range. If that secondary IP address range is routed from upstream router directly towards the ASA interface IP address then you WONT need the "arp permit-nonconnected" command/configuration.

- Jouni

0 Helpful

Go to solution
pronin_sergey
Level 1
Level 1
In response to Jouni Forss

‎04-17-2013 06:22 AM

Hello Jouni,

thank you.

Yeah, I've read about secondary range, but I'm talking about secondary IP address from the same range. Like on Cisco Routers:

ip address 2.2.2.1 255.255.255.0

ip address 2.2.2.2 255.255.255.255 secondary

etc.

--

Regards

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to pronin_sergey

‎04-17-2013 06:24 AM

Hi,

Any ASA interface holds only a single IP address.

Rest of the IP addresses from that same network can only exist as IP address used in the NAT configurations.

- Jouni

0 Helpful

Go to solution
pronin_sergey
Level 1
Level 1
In response to Jouni Forss

‎04-17-2013 06:44 AM

Jouni,

maybe you could help me with one more issue.

If it is not possible to make ASA reply for ICMP echo requests for NAT addresses, maybe I could use static NAT and forward ICMP to the server in DMZ. I've tried to do the following:

==

nat (outside,dmz) source static any any destination static HOST_EXT HOST_DMZ service ICMPv4 ICMPv4 unidirectional no-proxy-arp

==

But I got:

ERROR: real service object includes protocol that doesnt match TCP or UDP.

So it is not possible to forward ICMP?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to pronin_sergey

‎04-17-2013 06:59 AM

Hi,

The configuration is failing because the NAT configuration only supports TCP and UDP ports when mapping services

Just to clarify a bit on the NAT and ICMP. ASA itself will only reply to ICMP destined for its interface IP addresses. With regards to pinging a NAT address then the NAT has to be a Static NAT. And in that case naturally the device answering the ICMP Echo will be the actual device owning that NAT IP address and not the ASA.

If you want to configure a Static NAT for some host behind your ASA I would suggest the following NAT configurations

object network STATIC

host

nat (inside,outside) static

access-list OUTSIDE-IN permit icmp any object STATIC echo

access-group OUTSIDE-IN in interface outside

There is a possibility that other NAT configurations might override the above configuration. I would have to see the NAT configuration or a "packet-tracer" command output to confirm if the NAT rule is hit.

I recently made a 8.3+ NAT configuration document on the forums. Have a look

https://supportforums.cisco.com/docs/DOC-31116

- Jouni

0 Helpful

Go to solution
pronin_sergey
Level 1
Level 1
In response to Jouni Forss

‎04-17-2013 07:11 AM

Jouni,

I get it now, thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card