10-12-2014 05:44 AM - edited 03-11-2019 09:54 PM
Hi
I have ASA 5510 with public IP 110.x.x.50/29
ADSL modem is 110.x.x.49
ASA Outside interface is 110..x.x.50
Internal is 10.1.12.x/24
---
110.x.x.51 is map to server 10.1.12.1
110.x.x.52 is map to server 10.1.12.2
Firewall is working fine as well as static NAT from the Outside.
My question,
from outside (external) I can ping to Outside interface 110..x.x.50
but how can i able to ping the other public IP (110..x.x.51 and 110..x.x.52) from external???
currently I'm not able to ping it
Solved! Go to Solution.
10-13-2014 03:41 AM
In your first post you say that the private IP is mapped, but in your config you only map specific ports to the outside interface. With that, you can't reach the internal server with a ping. You need to also map icmp the same way as you do for RDP. That is typically done by mapping the whole IP and not just the service.
10-12-2014 01:14 PM
You have to:
policy-map global_policy
class inspection_default
inspect icmp
10-12-2014 07:08 PM
i have apply above config, but still i can't ping the other public IP.
10-13-2014 12:41 AM
Do you have an ACL entry on the outside interface permitting ICMP to those specific addresses (or to any for that matter)?
--
Please remember to select a correct answer and rate helpful posts
10-13-2014 01:51 AM
Hi all,
below is my config ASA.
=========================
ASA Version 9.1(2)
!
hostname ASHFW01
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 110.x.x.50 255.255.255.248
!
interface GigabitEthernet0/1
no nameif
security-level 100
no ip address
!
interface GigabitEthernet0/1.1
vlan 12
nameif VLAN12
security-level 100
ip address 10.1.12.254 255.255.255.0
!
interface GigabitEthernet0/1.2
vlan 20
nameif VLAN20
security-level 100
ip address 10.1.20.254 255.255.255.0
!
interface GigabitEthernet0/1.3
vlan 30
nameif VLAN30
security-level 100
ip address 10.1.30.254 255.255.255.0
!
interface GigabitEthernet0/1.4
vlan 50
nameif VLAN50
security-level 100
ip address 10.1.50.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns domain-lookup VLAN12
dns domain-lookup VLAN20
dns domain-lookup VLAN30
dns domain-lookup VLAN50
dns server-group DefaultDNS
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network TerminalServer
host 10.1.12.13
object service smtp
service tcp source eq smtp destination eq smtp
object service smtps
service tcp source eq 587 destination eq 587
object network Exch-SMTP
host 10.1.20.2
object network Exch-POP3
host 10.1.20.2
object network Exch-SMTPS
host 10.1.20.2
object network ExchServer
host 10.1.20.2
object network MgmtSvr
host 10.1.12.30
object network Exch-SMTP1
host 10.1.20.2
object network Exch-HTTP
host 10.1.20.2
object network Portal
host 10.1.12.14
description Portal
object service Portal80
service tcp source eq www destination eq www
description Portal80
object network SalesMobile
host 10.1.12.14
description SalesMobile
object service SalesMobile9090
service tcp source eq 9090 destination eq 9090
description SalesMobile9090
object-group service rdp tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any object MgmtSvr object-group rdp
access-list outside_access_in extended permit tcp any object TerminalServer object-group rdp
access-list outside_access_in extended permit tcp any object ExchServer object-group rdp
access-list outside_access_in extended permit tcp any object ExchServer eq www
access-list outside_access_in extended permit tcp any object ExchServer eq https
access-list outside_access_in extended permit tcp any object ExchServer eq smtp
access-list outside_access_in extended permit tcp any object ExchServer eq 587
access-list outside_access_in extended permit tcp any object ExchServer eq pop3
access-list outside_access_in extended permit tcp any object Portal eq www
access-list outside_access_in extended permit tcp any object SalesMobile eq 9090
access-list outside_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu VLAN12 1500
mtu VLAN20 1500
mtu VLAN30 1500
mtu VLAN50 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any VLAN12
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network TerminalServer
nat (VLAN12,outside) static 110.x.x.51 service tcp 3389 3389
object network Exch-SMTP
nat (VLAN20,outside) static 110.x.x.52 service tcp smtp smtp
object network Exch-POP3
nat (VLAN20,outside) static 110.x.x.52 service tcp https https
object network Exch-SMTPS
nat (VLAN20,outside) static 110.x.x.52 service tcp 587 587
object network ExchServer
nat (VLAN20,outside) static 110.x.x.52 service tcp 3389 3389
object network MgmtSvr
nat (VLAN12,outside) static 110.x.x.53 service tcp 3389 3389
object network Exch-SMTP1
nat (VLAN20,outside) static 110.x.x.52 service tcp pop3 pop3
object network Exch-HTTP
nat (VLAN20,outside) static 110.x.x.52 service tcp www www
object network Portal
nat (VLAN12,outside) static 110.x.x.51 service tcp www www
object network SalesMobile
nat (VLAN12,outside) static 110.x.x.51 service tcp 9090 9090
!
nat (any,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 110.x.x.49 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 4348
http 192.168.1.0 255.255.255.0 management
http 10.1.12.0 255.255.255.0 VLAN12
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 0.0.0.0 0.0.0.0 VLAN12
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username necare password BkPn6VQ0VwTy7MY7 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:4551a847aa860ec2126b9ed1ea6c641f
: end
10-13-2014 01:55 AM
Please add the following entry to the top of your outside_access_in ACL and then test.
access-list outside_access_in extended permit icmp any any
--
Please remember to select a correct answer and rate helpful posts
10-13-2014 02:12 AM
Hi all, already apply above config but still unable to ping the other public ip.
Is it possible anyway to ping??
===============
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any object MgmtSvr object-group rdp
access-list outside_access_in extended permit tcp any object TerminalServer object-group rdp
access-list outside_access_in extended permit tcp any object ExchServer object-group rdp
access-list outside_access_in extended permit tcp any object ExchServer eq www
access-list outside_access_in extended permit tcp any object ExchServer eq https
access-list outside_access_in extended permit tcp any object ExchServer eq smtp
access-list outside_access_in extended permit tcp any object ExchServer eq 587
access-list outside_access_in extended permit tcp any object ExchServer eq pop3
access-list outside_access_in extended permit tcp any object Portal eq www
access-list outside_access_in extended permit tcp any object SalesMobile eq 9090
access-list outside_access_in extended deny ip any any
10-13-2014 02:21 AM
Have you followed Karsten's suggestion by turning off the windows firewall or any other software firewall installed on the servers/PCs when testing?
--
Please remember to select a correct answer and rate helpful posts
10-13-2014 02:27 AM
Yes, my PC itself is firewall disable.
No other software firewall install.
10-13-2014 02:28 AM
not your PC, the firewall on the PC you are trying to ping needs to be either turned off, or configure to allow ICMP.
--
Please remember to select a correct answer and rate helpful posts
10-13-2014 02:44 AM
Hi,
You mean below server, below server firewall is turned off.
But i just need to ping the public IP??
=====================
object network TerminalServer
host 10.1.12.13
object network ExchServer
host 10.1.20.2
object network MgmtSvr
host 10.1.12.30
=======================
object network TerminalServer
nat (VLAN12,outside) static 110.x.x.51 service tcp 3389 3389
object network ExchServer
nat (VLAN20,outside) static 110.x.x.52 service tcp 3389 3389
object network MgmtSvr
nat (VLAN12,outside) static 110.x.x.53 service tcp 3389 3389
=======================
10-13-2014 03:01 AM
when you ping 110.x.x.51 (for example) do you see any drop logs in the realtime event viewer on the ASA?
If you do not see any drop logs, could you set up a packet capture for one of the servers on the ASA, perhaps this will tell us what is happening.
access-list CAPIN permit ip host 10.1.12.13 any eq echo
access-list CAPIN permit ip host 10.1.12.13 any eq echo-reply
access-list CAPOUT permit ip any host 110.x.x.51 eq echo
access-list CAPOUT permit ip any host 110.x.x.51 eq echo-reply
capture INSIDE_CAP interface VLAN12 access-list CAPIN
capture OUTSIDE_CAP interface outside access-list CAPOUT
show capture INSIDE_CAP
show capture OUTSIDE_CAP
--
Please remember to select a correct answer and rate helpful posts
10-13-2014 03:41 AM
In your first post you say that the private IP is mapped, but in your config you only map specific ports to the outside interface. With that, you can't reach the internal server with a ping. You need to also map icmp the same way as you do for RDP. That is typically done by mapping the whole IP and not just the service.
10-13-2014 10:40 AM
Ok thank you. Problem resolved. Map the whole IP. That it.
10-13-2014 12:42 AM
Please show your actual ASA config. And doouble-check that you don't block Pings on the internal host with a host-firewall.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: