cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1379
Views
0
Helpful
6
Replies

not able to ping natted ip

nihammimm
Level 1
Level 1

Hi,

I am having FWSM and one of the context , lets say firewall1.

Below are some config in that context:

name 10.50.1.1   server_a
name 75.24.10.41 public_ip

access-list internet-in extended permit icmp any any
static (inside,internet) public_ip server_a netmask 255.255.255.255

I am not able ping  75.24.10.41 from internet which is natted to internal server ip 10.50.1.1 , above you can see that icmp is enables.Can anyone suggest how can resolve this issue.

Regards,

6 Replies 6

nihammimm
Level 1
Level 1

any help 

HI,

Check whether your public is working or not. Get confirmation from your ISP.

Confirm me whether you are using Bradbond or leased line????

Regards,

Janardhan

alphaomegait
Level 4
Level 4

test it with packet tracer and check your routing.

start ping -t and watch the log to see where it fails

term mon and watch the connections there

sho conn and check the connection there.  read the flags to see if it is moving data both in and out.

Post your route, nat, and acl code up.

show run nat | include "source ip" or "destination ip"

show run static | include "source ip" or "destination ip"

show run route | include "source ip" or "destination ip"

If you have ASDM packet capture ingress outside to the egress inside and see if the packet makes it into your network.  If it does, set the capture up the other way to see if it will make it back.  If the server in question has more than one nic if could be a router issue there.  Subnet mask on the server?  Default route on the server?

Lastly, you can contact TAC.  There is no shame in doing that and anyone with a fwsm probably has smartnet.

That looks like a simple configuration that would allow ICMP through. I suggest also inspecting ICMP. How about your internal access-list? Is it set to allow ICMP through as well?

Do the packet capture and check logs to see if the firewall is even blocking the ICMP

Thanx to all for your reply

Below are the some config to get more understanding:

firewall#  ( this is one of the context in FWSM)

name 10.50.1.1   server_a
name 75.24.10.41 public_ip

interface Vlan100
nameif inside
security-level 100
ip address 10.28.80.2 255.255.255.248 standby 10.28.80.3

interface Vlan200
nameif internet
security-level 0
ip address 75.24.19.9 255.255.255.0 standby 75.24.19.2
!

static (inside,internet) public_ip server_a netmask 255.255.255.255

route inside 10.0.0.0 255.0.0.0 10.28.80.9 1


access-list internet-in extended permit icmp any any
access-list inside-in extended permit icmp any any


firewall#sh access-list | i public_ip
access-list internet-in line 11 extended permit tcp host 84.99.87.223 host public_ip eq www (hitcnt=2) 0x33edcc


firewall# sh access-list | i server_a
access-list inside-in line 19 extended permit ip  host server_a any (hitcnt=132) 0x3aa53d2b


firewall# sh conn | i 84.99.87.223 ( source IP from which I am trying to access)
TCP out 84.99.87.223:56241 in server_a:80 idle 0:00:12 Bytes 70 FLAGS - Bs

firewall#  sh xlate | i public_ip
Global public_ip Local server_a


firewall# sh xlate | i server_a
Global server_a Local server_a
Global public_ip Local server_a

NOTE: I can ping the server_a (10.50.1.1) from the firewall. I want to connect 75.24.10.41 with port 80 from internet.

Thanx , I expecting to get a right thought on this...

need help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: