07-08-2021 01:14 AM
Hello,
Can someone help me answer for my issue.
I have firepower 2130 and few static NAT rules and ACL for our web/dns servers.
we need those inside servers to access from public such as few ports , ssh.
We are able ping those mapped public IP address form outside network. but unable ping form inside network.
Ping to internal ip is working from inside network.
unpingable to public ip from inside network.
07-08-2021 05:49 AM
Are you looking incoming from Public IP to Porfoward to interenal network for your network
Look at the below example step guide :
https://www.petenetlive.com/KB/Article/0001680
07-08-2021 09:15 PM
Hello Balaji,
yes, i follow and refer this guide during my seup.
The incoming traffic from public is working fine, packet are forwarded correctly to inside servers.
but now our developers wanted to ping the public ip address of servers from inside network.
let say, web server 192.168.0.1 is mapped to 103.127.167.10.
we can ping pc from public network to 103.127.167.10
we cannot ping pc from inside network to 103.127.167.10
we would like to confirm this is limitation of FDM.
07-09-2021 12:13 AM
it works that way by design. On FTD or ASA. You cannot ping an address that's on an interface remote from your origin. So if you are on the inside you cannot ping an address on the outside (like your public NAT).
07-09-2021 01:40 AM
Hello Marvin,
so, can confirm this is limitation of ftd NAT or
do we have other way round to achieve this?
07-09-2021 01:45 AM
It's a limitation of the NAT implementation of FTD and ASA both.
I am not aware of any practical workaround. If you need to reach an outside address, then it needs to be reached from the outside.
If the server sits in a DMZ you can do some tricks with NAT rules that make it reachable via the public IP - basically changing the NAT rule for inside-DMZ vs. outside-DMZ. We do that sometimes for Expressway servers.
07-09-2021 01:56 AM
Its by nature of design, as long as the port-forward working as expected, i would not much worry of the ping.
07-10-2021 12:22 PM
This can be done by NAT hairpin.
07-11-2021 03:00 AM - edited 07-11-2021 06:28 AM
I assume you are natting to a dedicated public IP address?
You'll never get ping to work if you are translating on port 443.
Try this:-
The CLI output would look like this:-
nat (inside,inside) source static IPv4-Private-192.168.0.0-16 interface destination static SERVER01-NAT SERVER01
07-11-2021 07:10 PM
Hairpin NAT configuration does allow an internal host to appear to reach the public IP address but it's not really doing so. It's just a technique to instead redirect the traffic to actually turn around (thus the term hairpin") and instead use the internal address when it reaches the firewall.
I would submit that's not really useful or adequate to ascertain if a given public IP or service associated with it is reachable.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide