03-23-2014 10:41 AM - edited 03-11-2019 08:59 PM
Hello,
I have completed a NAT setup on ASA 8.4 so that computers behind an internal interface get their ip translated to the outside interface IP range.
It worked ok as I can browse fine from the internal computer however icmp pings are not getting back and timing out.
Any reason why this would happen, here is my config in brief:
object network inside
subnet 192.168.3.0 255.255.255.0
object network outside-pool
range 192.168.1.40 192.168.1.80
object network inside
nat dynamic outside-pool
Thank You.
Solved! Go to Solution.
03-23-2014 02:37 PM
Hello,
From your problem description, I think the issue might related to a missing inspection (icmp).
If possible you can add:
Fixup protocol icmp
Then try again to ping something on Internet, for example: 4.2.2.2 or 8.8.8.8
Please remember to rate and select the correct answer.
03-23-2014 02:37 PM
Hello,
From your problem description, I think the issue might related to a missing inspection (icmp).
If possible you can add:
Fixup protocol icmp
Then try again to ping something on Internet, for example: 4.2.2.2 or 8.8.8.8
Please remember to rate and select the correct answer.
03-23-2014 10:44 PM
Excellent, why is this not recognized as part of the originating traffic (same as it does for http traffic)
03-24-2014 08:07 AM
Hi,
The ICMP inspection engine allows ICMP traffic to be inspected like TCP and UDP traffic. Without the ICMP inspection engine, we recommend that you do not allow ICMP through the adaptive security appliance in an ACL. Without stateful inspection, ICMP can be used to attack your network. The ICMP inspection engine ensures that there is only one response for each request, and that the sequence number is correct
When ICMP inspection is disabled, which is the default configuration, ICMP echo reply messages are denied from a lower security interface to a higher security interface, even if it is in response to an ICMP echo request.
For reference take a look on the following link:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/i2.html#wp1735986
Hope it answers your question.
03-24-2014 10:24 PM
Perfect thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide