Inside ping to outside interface ASA

oneirishpollack · ‎10-16-2009

I am using an ASA 5510. I have no issues receiving echo-replies from outside devices, but I can't get one from the outside interface on my ASA.

This is by design right? Is there a work around?

JORGE RODRIGUEZ · ‎10-16-2009

If you are on the inside by design you cannot ping the outside interface or other interfaces other than the interface the host is under.. say if you host is on the inside interface and tries to ping DMZ interface by design will not happen.

You can however ping outside interface from the outside if you permit it by rule.

Regards

Jorge Rodriguez

oneirishpollack · ‎10-16-2009

Yes, I was trying to ping the mapped addresses of inside devices.

So I was on a 10.7.20.20 machine trying to ping the mapped outside address of the 10.7.20.21 machine. The mapped outside address is 171.23.23.40.

I can receive a echo-reply from 10.7.20.21, but not the mapped address of 171.23.23.40.

mkharban · ‎11-11-2009

Hi,

We can achieve this by configuring hairpining or u-turning on the firewall.

The commands required for the same are:

static (inside,inside) 171.23.23.40 10.7.20.21 norandomseq nailed

same-security traffic permit inter-interface

sysopt noproxyarp inside

failover timeout -1

global (inside) 1 interface (Assuming you have nat (inside) 1 0 0 configured)

Please follow the following document for more information on the same:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

Please note that this will only work in case the default gateway for both 10.7.20.21 and 10.7.20.20 is firewall (in other words both the echo request and reply are handled by the firewall)