cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1408
Views
0
Helpful
1
Replies

How to allow ICMP on Public IP which has been used for NAT on ASA 5505

Vikrant Ambhore
Level 1
Level 1

Hello Friends,


We have configured multiple Public IP on On the ASA but there are no multiple addresses on an interface. But my scenario is solved with NAT.
For each node/port-combination you configure an object and define the NAT-settings (which are a port-forwarding), so my question is I want to allow ICMP
on  XX.XX.XX.32, XX.XX.XX.33, XX.XX.XX.34, XX.XX.XX.35
Please suggest how to do it


interface Vlan1
 nameif outside
 security-level 0
 ip address XX.XX.XX.31 255.255.255.0
!
interface Vlan2
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa825-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group COLODNS
 name-server 127.0.0.1
 name-server 8.8.8.8
 name-server 192.168.1.1
 name-server 206.183.111.1
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list global_access extended permit ip any any
access-list inside_access extended permit ip any any
access-list inside_access extended deny ip any any inactive
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any eq ssh
pager lines 24
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp XX.XX.XX.32 www 192.168.1.5 www netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.33 www 192.168.1.5 8080 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.34 www 192.168.1.5 7070 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.32 8983 192.168.1.5 8983 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.34 9983 192.168.1.5 9983 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.34 10222 192.168.1.5 ssh netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.35 www 192.168.1.2 www netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.36 www 192.168.1.2 8080 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.35 85 192.168.1.2 85 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.35 10389 192.168.1.2 3389 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.37 www 192.168.1.3 www netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.37 8080 192.168.1.3 8080 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.37 10222 192.168.1.3 ssh netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.37 9983 192.168.1.3 9983 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.37 8983 192.168.1.3 8983 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.38 www 192.168.1.3 7070 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.1 1

1 Reply 1

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

You would not be able to allow ICMP traffic using the Port Forward NAT statements.

You need a static one to One nat for it to work.

Thanks and Regards,

Vibhor Amrodia

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: