Showing results for 
Search instead for 
Did you mean: 


not able to ping natted ip


I am having FWSM and one of the context , lets say firewall1.

Below are some config in that context:

name   server_a
name public_ip

access-list internet-in extended permit icmp any any
static (inside,internet) public_ip server_a netmask

I am not able ping from internet which is natted to internal server ip , above you can see that icmp is enables.Can anyone suggest how can resolve this issue.



any help 


Check whether your public is working or not. Get confirmation from your ISP.

Confirm me whether you are using Bradbond or leased line????




test it with packet tracer and check your routing.

start ping -t and watch the log to see where it fails

term mon and watch the connections there

sho conn and check the connection there.  read the flags to see if it is moving data both in and out.

Post your route, nat, and acl code up.

show run nat | include "source ip" or "destination ip"

show run static | include "source ip" or "destination ip"

show run route | include "source ip" or "destination ip"

If you have ASDM packet capture ingress outside to the egress inside and see if the packet makes it into your network.  If it does, set the capture up the other way to see if it will make it back.  If the server in question has more than one nic if could be a router issue there.  Subnet mask on the server?  Default route on the server?

Lastly, you can contact TAC.  There is no shame in doing that and anyone with a fwsm probably has smartnet.

That looks like a simple configuration that would allow ICMP through. I suggest also inspecting ICMP. How about your internal access-list? Is it set to allow ICMP through as well?

Do the packet capture and check logs to see if the firewall is even blocking the ICMP

Thanx to all for your reply

Below are the some config to get more understanding:

firewall#  ( this is one of the context in FWSM)

name   server_a
name public_ip

interface Vlan100
nameif inside
security-level 100
ip address standby

interface Vlan200
nameif internet
security-level 0
ip address standby

static (inside,internet) public_ip server_a netmask

route inside 1

access-list internet-in extended permit icmp any any
access-list inside-in extended permit icmp any any

firewall#sh access-list | i public_ip
access-list internet-in line 11 extended permit tcp host host public_ip eq www (hitcnt=2) 0x33edcc

firewall# sh access-list | i server_a
access-list inside-in line 19 extended permit ip  host server_a any (hitcnt=132) 0x3aa53d2b

firewall# sh conn | i ( source IP from which I am trying to access)
TCP out in server_a:80 idle 0:00:12 Bytes 70 FLAGS - Bs

firewall#  sh xlate | i public_ip
Global public_ip Local server_a

firewall# sh xlate | i server_a
Global server_a Local server_a
Global public_ip Local server_a

NOTE: I can ping the server_a ( from the firewall. I want to connect with port 80 from internet.

Thanx , I expecting to get a right thought on this...

need help

Recognize Your Peers
Content for Community-Ad