12-06-2012 11:54 AM - edited 03-11-2019 05:34 PM
Hey all,
We have an ASA 5520 with multiple public IP addresses. I am using one with a one to one NAT translation and an access-list that is allowing ip any on that public IP address. The device sitting behind the firewall is a sever listening on 443 and is pingable internally. My issue is I am trying to access it from outside, I can access it's web interface on 443 just fine but cannot ping it externally.
I've also got the following listed.
access-list Outside_Access_In remark Access-List Controlling Public Traffic Into Network
access-list Outside_Access_In permit icmp any any
access-list Outside_Access_In permit icmp any any echo
access-list Outside_Access_In permit icmp any any echo-reply
access-list Outside_Access_In permit icmp any any source-quench
access-list Outside_Access_In permit icmp any any time-exceeded
access-list Outside_Access_In permit icmp any any unreachable
icmp permit 192.168.1.0 255.255.255.0 echo outside
icmp permit any outside
access-group Outside_Access_In in interface outside
Solved! Go to Solution.
12-06-2012 12:00 PM
Christie,
Could you please share the NAT you are using for this server? Most of the cases problems like this are related to default gateway on the internal server. If the ping comes from an external IP the server/PC does not know how to response or response to another device and the packet is lost. Make sure the server has a default gateway and make sure it is configure fine.
The only reason I can think of on the ASA is that you are using port forwarding instead of one to one translation.
Regards,
Juan Lombana
Please rate helpful posts.
12-06-2012 11:57 AM
Hi,
Have you enable ICMP Inspection?
It should automatically enable the echo reply to come through.
Have you confirmed that the "icmp/echo" ACL rule has its "hitcnt" increased when looking with the command "show access-list" command?
It can be configured on the CLI with the following
policy-map global_policy
class inspection_default
inspect icmp
The "icmp permit" commands are used to allow ICMP directly to the interface. It doesnt affect actual ICMP going through the firewall.
- Jouni
12-06-2012 12:00 PM
Christie,
Could you please share the NAT you are using for this server? Most of the cases problems like this are related to default gateway on the internal server. If the ping comes from an external IP the server/PC does not know how to response or response to another device and the packet is lost. Make sure the server has a default gateway and make sure it is configure fine.
The only reason I can think of on the ASA is that you are using port forwarding instead of one to one translation.
Regards,
Juan Lombana
Please rate helpful posts.
12-06-2012 12:09 PM
I added the inspect icmp but no luck there. I checked the hitcnt and it is showing 0 for the icmp echo-reply and echo.
Here's the statements with IP addresses changed for security.
access-list outside_access_in extended permit ip any host 111.111.111.111
access-group outside_access_in in interface outside
static (inside,outside) 111.111.111.111 192.168.1.10 netmask 255.255.255.255
12-06-2012 12:57 PM
Deleted one of my replies as it had been marked as the correct answer (even though it wasnt )
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide