Solved: not able to ping device behind

Randyx · ‎05-07-2018

Hi Guys,

Just need your assistance on this.

I'm trying to setup a GNS3 lab. Attached is the diagram.

For some reason, I'm cannot ping the devices behind the firewall.

Here are the FW config.

FW1# sh run nat
nat (INSIDE,WAN0) source dynamic any interface

FW1# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 WAN0 10.50.1.1 255.255.255.252 CONFIG
GigabitEthernet0/1 INSIDE 192.168.32.1 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 WAN0 10.50.1.1 255.255.255.252 CONFIG
GigabitEthernet0/1 INSIDE 192.168.32.1 255.255.255.0 CONFIG

FW1# sh run nat
nat (INSIDE,WAN0) source dynamic any interface

FW1# sh run access-list
access-list WAN_IN extended permit ip any any
access-list INSIDE_IN extended permit ip any any

FW1# sh run access-group
access-group WAN_IN in interface WAN0
access-group INSIDE_IN in interface INSIDE

FW1# sh run route
route WAN0 0.0.0.0 0.0.0.0 10.50.1.2 1

FW2# sh run nat
nat (INSIDE,WAN0) source dynamic any interface

FW2# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 WAN0 10.50.1.2 255.255.255.252 CONFIG
GigabitEthernet0/1 INSIDE 192.168.31.1 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 WAN0 10.50.1.2 255.255.255.252 CONFIG
GigabitEthernet0/1 INSIDE 192.168.31.1 255.255.255.0 CONFIG

FW2# sh run nat
nat (INSIDE,WAN0) source dynamic any interface

FW2# sh run access-list
access-list WAN0_IN extended permit ip any any
access-list INSIDE_IN extended permit ip any any

FW2# sh run access-group

access-group WAN0_IN in interface WAN0
access-group INSIDE_IN in interface INSIDE

FW2# sh run route
route WAN0 0.0.0.0 0.0.0.0 10.50.1.1 1

From Site1 or Site2, I can ping the other router's Outside interface.

Site2#ping 10.50.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/10/42 ms

Site1#ping 10.50.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/6 ms

However, I cannot ping each other's local subnet.

Please assist!! Thanks in Advance

Florin Barhala · ‎05-08-2018

This is happening because of the NAT statements on each FW.
Go for "no nat (INSIDE,WAN0) source dynamic any interface" and try again.

View solution in original post

Florin Barhala · ‎05-08-2018

This is happening because of the NAT statements on each FW.
Go for "no nat (INSIDE,WAN0) source dynamic any interface" and try again.

Randyx · ‎05-08-2018

Hi

Thanks for your help..that did the trick. However, are you not suppose to do NATTing in a FW to FW setup? If no, what would be the correct NAT setup on this scenario?

Florin Barhala · ‎05-09-2018

NAT is 99% used for Internet access due to private/public IP story.
Now suppose you apply Dynamic PAT for both FWs (inside interfaces) to reach Internet, then you need to configure a STATIC NAT for one destination host in the FW the host resides.

E.G.
host_A -- FW1 ---- FW2 -- host_B
You configure dynamic PAT for network_A on FW1 and network_B on FW2.
Next if you want host_A to reach host_B the most usual way would be:
- configure a site-to-site IPSEC tunnel
- configure a static NAT on FW2
- ping from host_A the public IP used in the "static NAT on FW2"