Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4229
Views
10
Helpful
2
Replies

ICMP echo NAT from internet to inside for Web server on ASA 8.3+

Go to solution
will
Level 3
Level 3

‎01-04-2015 01:58 PM - edited ‎03-11-2019 10:17 PM

This _should_ be the most common NAT configuration the planet, so no obscure goings-on! Very simple: web server on inside interface with a private IP. Need to serve up Web requests to internet. Second WAN IP on outside interface, used for NAT-ing up Internet Web requests to inside server. Here is a simple diagram - in the rare case that i havent made it clear that this should be _the_ most supported NAT configuration on the planet (well maybe second-most after dynamic PAT outbound :) !!

any internet->WANIP2->ASA->WEBLANIP->80 and ICMP Echo (yes i want internet to be able to ping web server)

SIDE-NOTE: I gave up using ASA object-embedded NAT in 8.3+ and higher. Maybe a bad choice but so far, i _really_ like not seeing NAT in the object configurations. this was a bad detour IMO for ASA development. So how I do NAT:

1. define all my objects (with no NAT stuff embedded onto them). These are network and service objects.
2. Go to ASDM Firewall | NAT | GUI and start configuring the NAT's there.

This kind of emulates 8.2 ASA NAT and simply seems more intuitive. I use the pretty ASDM GUI to define all the parameters and then let ASDM "poop" out the one-liner NAT configuration. In the case of web server, here it is:

nat (INTERNET,INSIDE) source static any any destination static <WANIP2> <WEBLANIP> service soNAT_HTTP soNAT_HTTP unidirectional no-proxy-arp

NOTE: This seems to work well, and BTW... soNATP_HTTP = TCP 80 nat service object

So here is the dilemma! How do i make the web server respond to Internet ICMP echo requests via NAT-ing?
I use the ASDM to "poop" out the nice on-liner, but then ASA chokes and dies when it tries to write it!

[ERROR] nat (INTERNET,INSIDE) 10 source static any any destination static <WANIP2> <WEBLANIP> service soNAT_ICMP_ECHO soNAT_ICMP_ECHO unidirectional no-proxy-arp

"real service object includes protocol that doesnt match TCP or UDP." <-this is the ASA error

Anyone please advise!?!?!?

I sure hope this isnt the answer!: http://ieoc.com/forums/t/24765.aspx

thx in advance!

Will

1 person had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎01-04-2015 11:20 PM

Hi,

Simple answer to your query:-

STATIC pat will not support ICMP on the ASA device.

You have to use Static NAT(aka one-to-one nat) for enabling the ping requests to and from this server.

Also , have you tried this way of configuring the NAT for the Public Server on the ASA using the ASDM. You would find this much easier i guess.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

2 Replies 2

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎01-04-2015 11:20 PM

Hi,

Simple answer to your query:-

STATIC pat will not support ICMP on the ASA device.

You have to use Static NAT(aka one-to-one nat) for enabling the ping requests to and from this server.

Also , have you tried this way of configuring the NAT for the Public Server on the ASA using the ASDM. You would find this much easier i guess.

Thanks and Regards,

Vibhor Amrodia

Go to solution
will
Level 3
Level 3
In response to Vibhor Amrodia

‎01-07-2015 12:33 AM

thx vibhor, I think I get what you are saying on this. But it seems like ASA should be able to handle this. seems like someone forgot this piece in the new code! this also relates to another NAT configuration problem I'm having, which is very similar, by wanting to Static NAT with PAT:

https://supportforums.cisco.com/discussion/12389936/web-server-static-nat-pat-out-dynamic-pat-82-83

In general, I'm not liking this 8.3+ NAT stuff yet!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card