Solved: ASA5520 - Can't ping out to in with NAT translation

Christie Brinker · ‎12-06-2012

Hey all,

We have an ASA 5520 with multiple public IP addresses. I am using one with a one to one NAT translation and an access-list that is allowing ip any on that public IP address. The device sitting behind the firewall is a sever listening on 443 and is pingable internally. My issue is I am trying to access it from outside, I can access it's web interface on 443 just fine but cannot ping it externally.

I've also got the following listed.

access-list Outside_Access_In remark Access-List Controlling Public Traffic Into Network

access-list Outside_Access_In permit icmp any any

access-list Outside_Access_In permit icmp any any echo

access-list Outside_Access_In permit icmp any any echo-reply

access-list Outside_Access_In permit icmp any any source-quench

access-list Outside_Access_In permit icmp any any time-exceeded

access-list Outside_Access_In permit icmp any any unreachable

icmp permit 192.168.1.0 255.255.255.0 echo outside

icmp permit any outside

access-group Outside_Access_In in interface outside

julomban · ‎12-06-2012

Christie,

Could you please share the NAT you are using for this server? Most of the cases problems like this are related to default gateway on the internal server. If the ping comes from an external IP the server/PC does not know how to response or response to another device and the packet is lost. Make sure the server has a default gateway and make sure it is configure fine.

The only reason I can think of on the ASA is that you are using port forwarding instead of one to one translation.

Regards,

Juan Lombana

Please rate helpful posts.

View solution in original post

Jouni Forss · ‎12-06-2012

Hi,

Have you enable ICMP Inspection?

It should automatically enable the echo reply to come through.

Have you confirmed that the "icmp/echo" ACL rule has its "hitcnt" increased when looking with the command "show access-list" command?

It can be configured on the CLI with the following

policy-map global_policy

class inspection_default

inspect icmp

The "icmp permit" commands are used to allow ICMP directly to the interface. It doesnt affect actual ICMP going through the firewall.

- Jouni

julomban · ‎12-06-2012

Christie,

Could you please share the NAT you are using for this server? Most of the cases problems like this are related to default gateway on the internal server. If the ping comes from an external IP the server/PC does not know how to response or response to another device and the packet is lost. Make sure the server has a default gateway and make sure it is configure fine.

The only reason I can think of on the ASA is that you are using port forwarding instead of one to one translation.

Regards,

Juan Lombana

Please rate helpful posts.

Christie Brinker · ‎12-06-2012

I added the inspect icmp but no luck there. I checked the hitcnt and it is showing 0 for the icmp echo-reply and echo.

Here's the statements with IP addresses changed for security.

access-list outside_access_in extended permit ip any host 111.111.111.111

access-group outside_access_in in interface outside

static (inside,outside) 111.111.111.111 192.168.1.10 netmask 255.255.255.255

Jouni Forss · ‎12-06-2012

Deleted one of my replies as it had been marked as the correct answer (even though it wasnt )