Issue with echo_request translation in ASA 8.4(4)

oleg.serebryakov · ‎10-26-2012

Dear colleagues,

I coudn't create nat-rule for passing icmp echo-requests from user's PC placed in inside network toward public ip addresses into public networks.

Task:

echo-request packet from user's PC with private source-address should pass to ouside interface with source-address translation into outside-inteface address

Service objects defined for icmp services rejected by NAT command synax on ASA 8.4(4).

www.cisco.com searching didn't bring any valuable result.

Jennifer Halim · ‎10-26-2012

No, unfortunately you can't configure ICMP as a PAT rule as ICMP doesn't have any port number.

You can only configure TCP or UDP as PAT rule.

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/no.html#wp1778544

(and it states: Only TCP and UDP are supported. )

oleg.serebryakov · ‎10-26-2012

Hi Jennifer,

Formerly (in 8.2 time) I could do it, because protocol was subject of access-list of general dynamic NAT rule.

I couldn't understand - why in new syntax icmp go overboard of NAT. Modular architecture of new NAT rule with objects usage must be more flexible and scaleable IMHO. ))

Jennifer Halim · ‎10-26-2012

Yes you can configure it with version 8.2 or earlier because it is an access-list, however, you are only meant to configure TCP or UDP as those are the 2 protocols that have ports.