cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1842
Views
0
Helpful
6
Replies

ASA 5510 / PAT / ICMP echo outgoing IP

pronin_sergey
Level 1
Level 1

Hello guys,

I have ASA 5510 with soft version 8.4(5) installed.

There are two interfaces:

IP 1.1.1.1/24 - inside

IP 2.2.2.1/24 - outside

I have configured PAT, so network 1.1.1.0/24 gets NATted to 2.2.2.2 address. Everything works fine, except I can't reach 2.2.2.2 via ICMP from the internet.

X.X.X.X 2.2.2.2 Deny inbound icmp src OUTSIDE:X.X.X.X dst OUTSIDE:2.2.2.2 (type 8, code 0)

But I have configured an access list allowing ICMP from any to any:

access-list outside_access_in extended permit icmp any any 

Thus address 2.2.2.1, which is binded to outside interface itself, is perfectly reachable via ICMP.

I've got two questions:

1) Is there a way to fix it? It will be handy for diagnostic purposes.

2) is it possible to configure the secondary IP address on the interface on ASA? I've read, that there are some complications.

--

Regards

1 Accepted Solution

Accepted Solutions

Hi,

Any ASA interface holds only a single IP address.

Rest of the IP addresses from that same network can only exist as IP address used in the NAT configurations.

- Jouni

View solution in original post

6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

If you are talking about Dynamic PAT then you cant ping that IP address. This is because the public IP address is shared by all the defined hosts on the internal network and therefore the ASA doesnt really have anywhere to forward the ICMP Echo.

The "outside" interface will naturally answer to ICMP as the IP address is configured directly on the interface.

Also you can use a secondary address range on the ASA as NAT IP addresses. Though you dont configure those addresses under the interface. You only configure them with the NAT configurations.

In your software you will also have to issue the global configuration "arp permit-nonconnected" to use the secondary address range if the ISP has configured that address range directly in their upstream router interface along with the existing primary address range. If that secondary IP address range is routed from upstream router directly towards the ASA interface IP address then you WONT need the "arp permit-nonconnected" command/configuration.

- Jouni

Hello Jouni,

thank you.

Yeah, I've read about secondary range, but I'm talking about secondary IP address from the same range. Like on Cisco Routers:

ip address 2.2.2.1 255.255.255.0

ip address 2.2.2.2 255.255.255.255 secondary

etc.

--

Regards

Hi,

Any ASA interface holds only a single IP address.

Rest of the IP addresses from that same network can only exist as IP address used in the NAT configurations.

- Jouni

Jouni,

maybe you could help me with one more issue.

If it is not possible to make ASA reply for ICMP echo requests for NAT addresses, maybe I could use static NAT and forward ICMP to the server in DMZ. I've tried to do the following:

==

nat (outside,dmz) source static any any destination static HOST_EXT HOST_DMZ service ICMPv4 ICMPv4 unidirectional no-proxy-arp

==

But I got:

ERROR: real service object includes protocol that doesnt match TCP or UDP.

So it is not possible to forward ICMP?

Hi,

The configuration is failing because the NAT configuration only supports TCP and UDP ports when mapping services

Just to clarify a bit on the NAT and ICMP. ASA itself will only reply to ICMP destined for its interface IP addresses. With regards to pinging a NAT address then the NAT has to be a Static NAT. And in that case naturally the device answering the ICMP Echo will be the actual device owning that NAT IP address and not the ASA.

If you want to configure a Static NAT for some host behind your ASA I would suggest the following NAT configurations

object network STATIC

host

nat (inside,outside) static

access-list OUTSIDE-IN permit icmp any object STATIC echo

access-group OUTSIDE-IN in interface outside

There is a possibility that other NAT configurations might override the above configuration. I would have to see the NAT configuration or a "packet-tracer" command output to confirm if the NAT rule is hit.

I recently made a 8.3+ NAT configuration document on the forums. Have a look

https://supportforums.cisco.com/docs/DOC-31116

- Jouni

Jouni,

I get it now, thanks.

Review Cisco Networking for a $25 gift card