Solved: NAT for ping ICMP from outside to inside via ASAv

Thien are Margo · ‎05-12-2024

Hi, I am 4-year student to university of since from Vietnam. I have a problem about ping ICMP through ASA. I can ping from R2 from outside to 4.0.0.1 of DMZ or 8.0.0.1 of inside. I can ping from DMZ via inside. Can also ping from DMZ and inside to google successfully. BUT when I configuration NAT dynamic (inside, outside ), It will can't ping ICMP from R2(outside) to SERVER (inside ) router.

NOTE:router: R2, SERVER, DMZ,.. ASA can ping each other successfully in every way. I NEAD some advice about NAT static or NAT dynamic to the outside network can understand the addresses 4.0.0.1 or 8.0.0.1 in inside and DMZ

object network LAN_INSIDE
subnet 8.0.0.0 255.0.0.0
nat (inside,outside) dynamic interface
exit

when i configuration follow NAT, i can ping from outside to inside, since i can ping ICMP successfully.

ASA:

ena
conf t
hostname Asa1

int g0/6
nameif inside1
security-level 100
ip add dhcp
no shut

username thien password 123 privilege 15
http server enable
http 0 0 inside1
exit

int g0/1
nameif DMZ
security-level 50
ip add 4.0.0.254 255.0.0.0
no shut
exit

int g0/2
nameif inside
security-level 100
ip add 8.0.0.254 255.0.0.0
no shut
exit

int g0/3
nameif outside
security-level 0
ip add 3.0.0.254 255.0.0.0
no shut
exit

--------------------------------------------------------COnf domain

dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.27.2
name-server 8.8.8.8
domain-name google.com
exit

--------------------------------------------------------ko can de ping den google
class-map inspection_default
match default-inspection-traffic
exit

policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
exit
service-policy global_policy global

--------------------------------------------------------------------------

access-list PING extended permit ip any any
access-list PING extended permit icmp any any
access-list PING extended permit tcp any any
access-group PING in interface outside

access-list dmz extended permit ip any any
access-list dmz extended permit icmp any any
access-list dmz extended permit tcp any any
access-group dmz in interface DMZ

MHM Cisco World · ‎05-12-2024

Nat(IN,OUT) source static object <real IP> object <mapped IP>

Add above NAT and ping to mapped IP from outside

MHM

View solution in original post

Thien are Margo · ‎05-12-2024

Sorry I have some changes

Thien are Margo · ‎05-12-2024

I was a newbie

MHM Cisco World · ‎05-12-2024

Since traffic initiate from OUT to DMZ or IN then you need to allow this traffic in OUT via

Access-list icmp extended permit icmp ip any host <server real IP>

Access-group icmp in interface OUT

Also you need to use icmp inspection under policy-map

MHM

Thien are Margo · ‎05-12-2024

I have successfully ping ICMP from outside and inside under the condition of not being NAT. If NAT, I cannot ping inside. I understand that it's because dynamic NAT on the outside side doesn't understand the inside IP.

Thien are Margo · ‎05-12-2024

And I also don't understand why no NAT can still ping google.com

MHM Cisco World · ‎05-12-2024

Nat(IN,OUT) source static object <real IP> object <mapped IP>

Add above NAT and ping to mapped IP from outside

MHM

Thien are Margo · ‎05-13-2024

thank you MHM.

-Thien-