07-07-2017 04:41 AM - edited 03-12-2019 02:40 AM
I have configured a static nat on ASA as follows
Mapped Ip Port Real IP Port
192.168.1.200 80 10.50.1.16 80
192.168.1.200 81 10.50.4.23 81
192.168.1.200 82 10.50.1.126 8080
192.168.1.200 83 10.50.1.16 83
192.168.1.200 84 10.50.4.23 83
when a user in outside zones try to ping to the mapped IP(192.168.1.200) it is not working. But natting is working as expected.
Could any one advice me how to get the ping to mapped IP ie. (192.168.1.200) from outside interface.
Regards
Tony
07-07-2017 05:08 AM
If you are going from low security level to a higher security level you will need an ACL in place allowing the desired traffic.
If trying to ping from the inside to outside you will need inspect icmp configured.
07-07-2017 05:17 AM
Hi
Thanks for your response
I have permitted ICMP in ACL. but still am not able to get ping.
07-07-2017 05:20 AM
Can you post relevant config? Would be helpful. Thanks
07-08-2017 12:24 AM
Hi Please find the configuration
object network WEB_SERVER_10.50.1.16_1
host 10.50.1.16
nat(WEB_Zone,Outside) static WEBNAT_192.168.200.1 service tcp www www
object network PRI_SER
host 10.50.1.126
nat(WEB_Zone,Outside) static WEBNAT_192.168.200.1 service tcp 8080 82
object network Training
host 10.50.4.23
nat(DTB_Zone,Outside) static WEBNAT_192.168.200.1 service tcp 81 81
object network WEB_SERVER_10.50.1.16_1
host 10.50.1.16
nat(WEB_Zone,Outside) static WEBNAT_192.168.200.1 service tcp 83 83
object network Training2
host 10.50.4.23
nat(DTB_Zone,Outside) static WEBNAT_192.168.200.1 service tcp 83 84
access-group outside_access_in in interface ouside
access-list outside_access_in line 56 extended permit ip host 10.87.1.5 any (hitcnt=784) 0x6301df3a
Before I configured simple nat without port translation I was able to get ping but after this configuration am not getting Ping but applications are working
07-08-2017 12:55 AM
I think what you experiencing is correct behaviour.
Also just to confirm, the address you are trying to ping is 192.168.200.1? One post mentions 1.200 and another 200.1.
I don't think you will be able to get icmp working when pinging the 192.168 address with your nat/port forwarding current setup as it is attached to a number of internal addresses on various ports.
Maybe someone else can confirm as not 100%.
You said you configured static nat previously and it worked. Was this a pure one to one static mapping? If so, then there would only be one address attached allowing it to reply to icmp.
07-08-2017 01:05 AM
Hi Dear
Sorry it is actually 192.168.200.1.
earlier it was one to one static nat as given below
object network WEB_SERVER_10.50.1.16_1
host 10.50.1.16
nat(WEB_Zone,Outside) static WEBNAT_192.168.200.1 service tcp any any
If it is an expected behaviour could you please give any documents supporting your comments.
Thanks
07-08-2017 01:23 AM
I am not 100% sure if this is the case but the NATs you have are for specific ports only. If you ping the 200.1 address, it is mapped to multiple different addresses / ports only. What exactly would be replying to the icmp echos when you try to ping it?
Someone else may be able to clarify or tell you if it is possible.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide