Solved: For this requirement, you

tonysebastian · ‎07-08-2017

Dear All

In order to meet our requirements we have to configure PAT on 1 external IP addresses to two internal IP in DMZ on different TCP ports. This NAT is configured on ASA 9.1 version.

As expected all the applications are working through natting, but we are not able to ping to Mapped IP(external IP) from outside zone . So any one help me to identify is it the default behavior of ASA.

Earlier we had configured static NAT on single external IP to single internal IP without PAT in that case we used to receive ICMP reply

Regards

Tony

Karsten Iwen · ‎07-08-2017

For this requirement, you need a 1:1 mapping as you had before. You can't achieve this with pure port-forwarding on the ASA.

View solution in original post

Karsten Iwen · ‎07-08-2017

For this requirement, you need a 1:1 mapping as you had before. You can't achieve this with pure port-forwarding on the ASA.

tonysebastian · ‎07-08-2017

Hi Karsten

Thanks for your reply.

could you please provide any supporting documents for your comments.

Regards

Tony

Marvin Rhoads · ‎07-08-2017

It's basic to how port forwarding and "ping" works. An incoming icmp echo request (or "ping") is neither tcp nor udp - it is icmp. As such it is not covered by your specific port forwarding NAT rule. It will either hit a more general dynamic NAT (PAT) rule or be not NATted at all, depending on the other bits of your configuration.

You can confirm the ASA works this way not only by inspection of the results (which you already have) but in more detail by using the packet-tracer utility.

tonysebastian · ‎07-09-2017

Hi Marvin

Thanks for your comments.

In packet tracer utility I am getting an error message as below

(nat-no-xlate-to-pat-pool)

Regards

Tony

Marvin Rhoads · ‎07-09-2017

Well there you go. The ASA itself is confirming what Karsten said - that your PAT pool cannot handle the icmp traffic.

Ping issue with NAT