Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1383
Views
5
Helpful
3
Replies

Cisco ASA 5506 multiple outside IP's allow ping

Philip Curwen
Level 1
Level 1

‎01-19-2016 10:31 AM - edited ‎03-12-2019 12:09 AM

Hi all, I have a /28 subnet and have configured a couple public IPs with NAT for various services. The outside interface has a main IP address configured and I create NAT and access-lists for other public IPs in my subnet. All is working in that respect. I allow ping for testing purposes to the main public IP on the outside interface with:

access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any echo

And apply that to the outside interface. Ping however does not happen on my other public IPs in my subnet. How can I allow this?

Cheers

Labels:
0 Helpful
3 Replies 3

Maykol Rojas
Cisco Employee
Cisco Employee

‎01-19-2016 11:12 AM

Hello; 

This should work. Are you able to ping the real IP from the ASA firewall itself? Can you do a packet tracer using  the CLI and paste it over here? 

Mike. 

Mike

Philip Curwen
Level 1
Level 1
In response to Maykol Rojas

‎01-19-2016 11:58 AM

I can ping the real IP from the ASA but not the second one..

Real IP: A.A.A.A.A

Second IP: B.B.B.B

A.A.A.A.A

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Result:
input-interface: inside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

B.B.B.B.B

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop B.B.B.B.B using egress ifc outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

gaowen
Level 1
Level 1
In response to Philip Curwen

‎01-20-2016 09:58 AM

Do the services work on all the servers you have configured in your DMZ?

It looks like your NAT isn't properly configured and your ASA is responding to pings, not the device which you should be NATing to. If your NAT is properly configured then remember you'll need a route on to your internal services on your ASA

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card