cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6355
Views
20
Helpful
11
Replies

can't ping ASA's outside interface from outside

Dr.Dugong
Level 1
Level 1

Hi, I have an ASA5510 running ASA version 9.1(6) and need to be able to ping it from the internet.  I've made these changes using ASDM (version 7.6(2)):

in Firewall > Service Policy Rules > inspection_default > Rule Actions, I enabled “ICMP”

in Firewall > Access Rules, I added a rule allowing ICMP for the outside interface with the source as the remote computer's public IP address, which we'll say is "X.X.X.X".

 

I still can't ping the ASA from X.X.X.X.  When I run the command "packet-tracer input outside icmp X.X.X.X 8 0 Y.Y.Y.4 (the ASA's outside interface) detailed", I get the response:

"Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate"

11 Replies 11

balaji.bandi
Hall of Fame
Hall of Fame

If you have tried

 

icmp permit any outside

 

then if this is still not working and your packet tracer shows same error you may have hit with bug, have a look @

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCun81982

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCun95075

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks for the response.  I still get the same error after trying that.  I'll try upgrading to 9.1.7.  In case I've set up something wrong, below are the relevant lines in the configuration.  Do you see anything wrong?

 

object network obj_any
 subnet 0.0.0.0 0.0.0.0

 

object network obj_any
 nat (inside,outside) dynamic Y.Y.Y.4

 

access-list acl-outside-in extended permit icmp host X.X.X.X host Y.Y.Y.4

 

icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside

 

policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp

Ok, I've upgraded to ASA version 9.1(7)7, and I still get the same error.

Have you done a packet capture to see if a) the echo requests are arriving at the ASA and b) if the ASA is attempting to send the response?

 

Also, can you ping from the ASA to the device you are trying to ping the ASA from?

The packet capture shows the echo request arriving, but doesn't show any attempt to respond.  I just get:

X.X.X.X > Y.Y.Y.4: icmp: echo request

 

And I can successfully ping from the ASA to X.X.X.X (my home computer).

 

can you post full configuration to review.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Yeah, doesn’t make a lot of sense. I wonder if there is some NAT configuration that’s causing a problem? Can you post the configuration?

I'm afraid that if I post the entire configuration, I'll miss some identifiable info in it.

I realized, though, that the IP assigned to the outside interface ends in .1, not .4

 

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address Y.Y.Y.1 255.255.255.240

I had assumed it was .4, since outside devices see the ASA at Y.Y.Y.4, including a credit card company that is trying to do a security vulnerability scan, which is why I'm doing this.  If I go to any website that shows my public IP, it's the Y.Y.Y.4 one.

I am able to successfully ping Y.Y.Y.1, so hopefully the credit card PCI compliance company will accept that address.  If they insist on scanning Y.Y.Y.4, then I'll still have to figure out how to ping that address.  Here are my NAT rules:

object network obj-192.168.1.9
 nat (inside,outside) static Y.Y.Y.2
object network obj-192.168.1.13
 nat (inside,outside) static Y.Y.Y.3
object network TS-SERVER
 nat (inside,outside) static Y.Y.Y.7
object network obj-192.168.1.12
 nat (inside,outside) static Y.Y.Y.5
object network obj-192.168.1.193
 nat (inside,outside) static Y.Y.Y.6
object network obj_any
 nat (inside,outside) dynamic Y.Y.Y.4
object network pserver
 nat (inside,outside) static Y.Y.Y.8
object network SNVR
 nat (any,any) static Y.Y.Y.9
object network obj-192.168.120.101
 nat (inside,outside) static Y.Y.Y.11

 

If the address they need to ping is an address that’s being translated, you’ll need to then a) allow echo request to that address in the ACL b) static NAT instead of PAT the .4 address to something internal. This should help:

https://community.cisco.com/t5/security-documents/asa-5505-9-1-2-icmp-issue/ta-p/3146890

So, it sounds like it's not going to possible to ping a PAT external IP address, correct?  But I need PAT for computers on the internal network to access the internet.  So if this is the case, I guess I'll hope the credit card compliance company will be ok with an IP that has a static NAT to one of our servers.

 

Why is that a cheap, basic router-- a Linksys, for example-- does PAT, and you can enable an option to be able to ping its external IP -- the same IP that's doing the PAT?

may be this is what hitting

 

object network obj_any
 nat (inside,outside) dynamic Y.Y.Y.4

that is the reason you see public .4 rather .1

 

May be worth you understand the network, since you are the one who manage day to day, we can only give  advise here.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: