Re: NATed public Ip cannot ping from inside network

may.thu · ‎07-08-2021

Hello,

Can someone help me answer for my issue.

I have firepower 2130 and few static NAT rules and ACL for our web/dns servers.

we need those inside servers to access from public such as few ports , ssh.

We are able ping those mapped public IP address form outside network. but unable ping form inside network.

Ping to internal ip is working from inside network.

unpingable to public ip from inside network.

balaji.bandi · ‎07-08-2021

Are you looking incoming from Public IP to Porfoward to interenal network for your network

Look at the below example step guide :

https://www.petenetlive.com/KB/Article/0001680

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

may.thu · ‎07-08-2021

Hello Balaji,

yes, i follow and refer this guide during my seup.

The incoming traffic from public is working fine, packet are forwarded correctly to inside servers.

but now our developers wanted to ping the public ip address of servers from inside network.

let say, web server 192.168.0.1 is mapped to 103.127.167.10.

we can ping pc from public network to 103.127.167.10

we cannot ping pc from inside network to 103.127.167.10

we would like to confirm this is limitation of FDM.

Marvin Rhoads · ‎07-09-2021

it works that way by design. On FTD or ASA. You cannot ping an address that's on an interface remote from your origin. So if you are on the inside you cannot ping an address on the outside (like your public NAT).

may.thu · ‎07-09-2021

Hello Marvin,

so, can confirm this is limitation of ftd NAT or

do we have other way round to achieve this?

Marvin Rhoads · ‎07-09-2021

It's a limitation of the NAT implementation of FTD and ASA both.

I am not aware of any practical workaround. If you need to reach an outside address, then it needs to be reached from the outside.

If the server sits in a DMZ you can do some tricks with NAT rules that make it reachable via the public IP - basically changing the NAT rule for inside-DMZ vs. outside-DMZ. We do that sometimes for Expressway servers.

balaji.bandi · ‎07-09-2021

Its by nature of design, as long as the port-forward working as expected, i would not much worry of the ping.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Arshad Safrulla · ‎07-10-2021

This can be done by NAT hairpin.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Rob Ingram · ‎07-11-2021

@may.thu

I assume you are natting to a dedicated public IP address?

You'll never get ping to work if you are translating on port 443.

Try this:-

The CLI output would look like this:-

nat (inside,inside) source static IPv4-Private-192.168.0.0-16 interface destination static SERVER01-NAT SERVER01

Marvin Rhoads · ‎07-11-2021

Hairpin NAT configuration does allow an internal host to appear to reach the public IP address but it's not really doing so. It's just a technique to instead redirect the traffic to actually turn around (thus the term hairpin") and instead use the internal address when it reaches the firewall.

I would submit that's not really useful or adequate to ascertain if a given public IP or service associated with it is reachable.