12-29-2012 06:43 AM - edited 03-11-2019 05:41 PM
Hi experts,
i have got a question about ASA NAT as below
R1(12.1.1.1)---inside---(12.1.1.2)ASA(23.1.1.2)---outside---R2(23.1.1.1)
nat-control enabled, configuration as below
global(outside) 1 interface
nat(inside) 1 0 0
access-list 1 permit ip any any
access-group 1 in interface outside
icmp permit any outside
icmp permit any inside
route outside 0 0 23.1.1.1
R1 can ping R2 through NAT successfully
But how can i configured the NAT to perform the outside interface is able to ping inside ?
with static NAT ?
Kindly share your configuration
thanks
Solved! Go to Solution.
12-29-2012 06:52 AM
Hi,
Since you have the PAT configuration
global(outside) 1 interface
nat(inside) 1 0 0
This means hosts behind interface "inside" can ping host behind "outside" successfully.
Same isnt true for the other direction what it seems you are asking for. In other words with the above NAT/PAT configuration traffic/connection cant be initiated from host behind "outside" to hosts behind "inside"
Only way to ping hosts behind the firewall from public network is to have a public IP address for each host.
On the other hand if networks behind both interfaces are private IP address range and arent directly connected to public network, you can use the following Static NAT command to enable traffic in both direction.
(Though naturally if you have public network on the "inside" too this works)
static (inside,outside) 12.1.1.0 12.1.1.0 netmask 255.255.255.0
Provided your "inside" network is 12.1.1.0/24
Notice though that the above Static NAT will override the PAT configuration which was
global(outside) 1 interface
nat(inside) 1 0 0
All hosts on network 12.1.1.0/24 would connect to "outside" with their original address if you enable the Static NAT command.
Same command for a single host would be
static (inside,outside) 12.1.1.2 12.1.1.2 netmask 255.255.255.255
Provided you want to keep the IP address visible to the "outside" identical.
If you want to give the "inside" host a NAT IP address of its own you would configure
static (inside,outside)
Also remember that for ICMP its good to configure the below configuration so you dont have to open both directions with ACL when pinging accross PIX/ASA
policy-map global_policy
class inspection_default
inspect icmp
Also the configurations
icmp permit any outside
icmp permit any inside
Apply only to ICMP to and from your ASA interfaces. They dont (to my understanding) handle ICMP traffic through the firewall itself
- Jouni
12-29-2012 06:52 AM
Hi,
Since you have the PAT configuration
global(outside) 1 interface
nat(inside) 1 0 0
This means hosts behind interface "inside" can ping host behind "outside" successfully.
Same isnt true for the other direction what it seems you are asking for. In other words with the above NAT/PAT configuration traffic/connection cant be initiated from host behind "outside" to hosts behind "inside"
Only way to ping hosts behind the firewall from public network is to have a public IP address for each host.
On the other hand if networks behind both interfaces are private IP address range and arent directly connected to public network, you can use the following Static NAT command to enable traffic in both direction.
(Though naturally if you have public network on the "inside" too this works)
static (inside,outside) 12.1.1.0 12.1.1.0 netmask 255.255.255.0
Provided your "inside" network is 12.1.1.0/24
Notice though that the above Static NAT will override the PAT configuration which was
global(outside) 1 interface
nat(inside) 1 0 0
All hosts on network 12.1.1.0/24 would connect to "outside" with their original address if you enable the Static NAT command.
Same command for a single host would be
static (inside,outside) 12.1.1.2 12.1.1.2 netmask 255.255.255.255
Provided you want to keep the IP address visible to the "outside" identical.
If you want to give the "inside" host a NAT IP address of its own you would configure
static (inside,outside)
Also remember that for ICMP its good to configure the below configuration so you dont have to open both directions with ACL when pinging accross PIX/ASA
policy-map global_policy
class inspection_default
inspect icmp
Also the configurations
icmp permit any outside
icmp permit any inside
Apply only to ICMP to and from your ASA interfaces. They dont (to my understanding) handle ICMP traffic through the firewall itself
- Jouni
12-29-2012 07:17 AM
Hi JouniForss,
Thanks so mcuh !
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: