cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
480
Views
0
Helpful
2
Replies

new baby question about ASA NAT

johnnydeep
Level 1
Level 1

Hi experts,

i have got a question about ASA NAT as below

R1(12.1.1.1)---inside---(12.1.1.2)ASA(23.1.1.2)---outside---R2(23.1.1.1)

nat-control enabled, configuration as below

global(outside) 1 interface

nat(inside) 1 0 0

access-list 1 permit ip any any

access-group 1 in interface outside

icmp permit any outside

icmp permit any inside

route outside 0 0 23.1.1.1

R1 can ping R2 through NAT successfully

But how can i configured the NAT to perform the outside interface is able to ping inside ?

with static NAT ?

Kindly share your configuration

thanks

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Since you have the PAT configuration

global(outside) 1 interface

nat(inside) 1 0 0

This means hosts behind interface "inside" can ping host behind "outside" successfully.

Same isnt true for the other direction what it seems you are asking for. In other words with the above NAT/PAT configuration traffic/connection cant be initiated from host behind "outside" to hosts behind "inside"

Only way to ping hosts behind the firewall from public network is to have a public IP address for each host.

On the other hand if networks behind both interfaces are private IP address range and arent directly connected to public network,  you can use the following Static NAT command to enable traffic in both direction.

(Though naturally if you have public network on the "inside" too this works)

static (inside,outside) 12.1.1.0 12.1.1.0 netmask 255.255.255.0

Provided your "inside" network is 12.1.1.0/24

Notice though that the above Static NAT will override the PAT configuration which was

global(outside) 1 interface

nat(inside) 1 0 0

All hosts on network 12.1.1.0/24 would connect to "outside" with their original address if you enable the Static NAT command.

Same command for a single host would be

static (inside,outside) 12.1.1.2 12.1.1.2 netmask 255.255.255.255

Provided you want to keep the IP address visible to the "outside" identical.

If you want to give the "inside" host a NAT IP address of its own you would configure

static (inside,outside) 12.1.1.2 netmask 255.255.255.255

Also remember that for ICMP its good to configure the below configuration so you dont have to open both directions with ACL when pinging accross PIX/ASA

policy-map global_policy

class inspection_default

  inspect icmp

Also the configurations

icmp permit any outside

icmp permit any inside

Apply only to ICMP to and from your ASA interfaces. They dont (to my understanding) handle ICMP traffic through the firewall itself

- Jouni

View solution in original post

2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Since you have the PAT configuration

global(outside) 1 interface

nat(inside) 1 0 0

This means hosts behind interface "inside" can ping host behind "outside" successfully.

Same isnt true for the other direction what it seems you are asking for. In other words with the above NAT/PAT configuration traffic/connection cant be initiated from host behind "outside" to hosts behind "inside"

Only way to ping hosts behind the firewall from public network is to have a public IP address for each host.

On the other hand if networks behind both interfaces are private IP address range and arent directly connected to public network,  you can use the following Static NAT command to enable traffic in both direction.

(Though naturally if you have public network on the "inside" too this works)

static (inside,outside) 12.1.1.0 12.1.1.0 netmask 255.255.255.0

Provided your "inside" network is 12.1.1.0/24

Notice though that the above Static NAT will override the PAT configuration which was

global(outside) 1 interface

nat(inside) 1 0 0

All hosts on network 12.1.1.0/24 would connect to "outside" with their original address if you enable the Static NAT command.

Same command for a single host would be

static (inside,outside) 12.1.1.2 12.1.1.2 netmask 255.255.255.255

Provided you want to keep the IP address visible to the "outside" identical.

If you want to give the "inside" host a NAT IP address of its own you would configure

static (inside,outside) 12.1.1.2 netmask 255.255.255.255

Also remember that for ICMP its good to configure the below configuration so you dont have to open both directions with ACL when pinging accross PIX/ASA

policy-map global_policy

class inspection_default

  inspect icmp

Also the configurations

icmp permit any outside

icmp permit any inside

Apply only to ICMP to and from your ASA interfaces. They dont (to my understanding) handle ICMP traffic through the firewall itself

- Jouni

Hi JouniForss,

Thanks so mcuh !

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: