NAT Setup ( To ping from outside to Inside)

virgoboy009 · ‎02-09-2011

Hello,

I am trying to configure the NAT to be able to ping from hosts placed in Outside network to Inside network

and also hosts placed in inside network should be reachable to outside hosts .

This entire scenario is for Private network connecting to another vendor network.

Coreswitch A -----sw acc vlan 5----- inside 10.8.252.50 -ASA Firewall 7.0----outside 192.168.60.1-----vlan 192-- Coreswitch B - vlan192- 192 192.168.60.50

vlan 5 - 10.8.252.1 | -- server hostsB - 192.168.60.122

vlan 10- 10.8.251.1

| ---Hosts A 10.8.251.10 -connected to the coreswitch

Please help me to ping from

1) Host A from inside to Host B Outside.

2) Hosts B from outside to Host A inside.

I tried to do static nat and acl on the follwoing way -

static ( outside,inside ) 10.8.252.200 192.168.60.122 netmask 255.255.255.255 ( here 10.8.252.200 to virtual ip getting mapped to 192.168.60.122)

acl acl-outside extended permit icmp host 10.8.251.10 host 10.8.252.200 echo-reply

acl acl-outisde in interface outside .

After i do this i am not able to ping from Host A to Host B .

I would like to know what is config required to ping from host B to hos A.

Appreciate you posts.

Regards,

KA.

Federico Coto Fajardo · ‎02-09-2011

Hi,

The ASA is a stateful device for TCP.

UDP is permitted back based on timers and ICMP is blocked.

To allow PING from inside to outside you need one of two things:

1. Either a permit ICMP applied to the outside ACL

2. Or include an inspect ICMP to the global_policy (preferred way).

To allow PING from outside to inside you need:

1. A static NAT statement to allow communication from a lower security interface to a higher security interface

2. Permit the ICMP in the outside ACL

The static statement that you're referring to is a translation for packets coming from the outside which is not something that you need.

Hope it helps.

Federico.

virgoboy009 · ‎02-09-2011

Hello Fed,

Thanks for your posts.

I really tried with all the config , but i am not sure where i am doing the mistake.

Could you please help me with the config for my above scenario.

Regards,

KA.

cadet alain · ‎02-09-2011

Hi,

Try this:

1)To allow pings from B to A

static(inside,outside) 192.168.60.2 10.8.251.10 netmask 255.255.255.255

acl acl-outside extended permit icmp host 192.168.60.122 host 192.168.60.2 echo

acl acl-outisde in interface outside

2)To allow pings from A to B:

just inspect icmp --->

policy-map global_policy

class inspection_default

inspect icmp

Regards.

Alain.

Don't forget to rate helpful posts.

virgoboy009 · ‎02-10-2011

Hello Alain,

Many thanks posting the config.

I will surely try the config and hopefully would solve the problem.

Regards,

KA.

virgoboy009 · ‎02-12-2011

Hello Alain,

When i tried your suggested commands I am not able to reach from Host B to Host A as i suspect i need few routing command at Firewall.

I cud see some amount of traffic hitting firewall below .

ASA-FW# sh access-list

access-list acl-outside; 1 elements
access-list acl-outside line 1 extended permit icmp host 192.168.60.122 host 192.168.60.200 echo (hitcnt=79) 0x149817e2 .

Vlan 5 - 10.8.252.1 is the directly connected vlan from coreswitch inside to firewall inside

vlan 10 -10.8.251.1 is an another vlan at coreswitch .

Scenario 2

when i tried in host A ip add within the same subnet of firewall then i was able to reach from host b to host A which shows

routing issue is there at Firewall as per my analysis.

1)To allow pings from B to A

static (inside,outside) 192.168.60.200 10.8.252.200 netmask 255.255.255.255

access-list acl-outside extended permit icmp host 192.168.60.122 host 192.168.60.200 echo

access-group acl-outisde in interface outside

2)To allow pings from A to B:

just inspect icmp --->

policy-map global_policy

class inspection_default

inspect icmp

I put the Def gateway as Firewall ip 10.8.252.50 at the host A after which i cud ping from host B ( 192.168.60.122 to 10.8.252.200-host A ).

Please suggest what more is required at the Firewall interms of routing/ACL or any other commands required at the inside coreswitch.

Anyways i am happy that i cud reach host b to host A in scenario 2 with your commands.

Appreciate your support again.

Anybody ..please suggest your comments.

virgoboy009 · ‎02-13-2011

Hello Guys,

Please share your comments on what is more required on firewall & coreswitch to reach from host B <----> Host B ( dual way) .

Regards,

KA.

cadet alain · ‎02-14-2011

Hi Karim

static(inside,outside) 192.168.60.2 10.8.251.10 netmask 255.255.255.255

acl acl-outside extended permit icmp host 192.168.60.122 host 192.168.60.2 echo

acl acl-outisde in interface outside

I did a mistake when I posted the config in line 2 replace host 192.168.60.2 echo by host 10.8.251.10 echo

Regards.

Alain.

Don't forget to rate helpful posts.

virgoboy009 · ‎02-15-2011

Hello Alain,

I tried but still no success , i suspect some rule has to be added in Firewall.

I added route inside 10.0.0.0 255.0.0.0 10.8.252.1 but still when i use 10.8.251.10 inplace of 10.8.252.10 i am not

able to communicate both ways.

Even i setup a lab setup and tired these commands , suspecting the existing inisde core production switch might have some other routes.

Regards,

KA.

cadet alain · ‎02-15-2011

Hi karim,

Post your config.

Regards.

Alain.

Don't forget to rate helpful posts.