09-03-2019 11:50 AM - edited 09-03-2019 12:07 PM
Hi!!
I hope the ASA will NAT 192.168.247.15 to 94.16 !!
So I was NAT configured.
However, an external server cannot ping 94.16.
Have I made a mistake in configuration ??
I attach config to this.
-----------------------------------------------------------------
Interface Configured
interface Redundant1
member-interface GigabitEthernet1/1
member-interface GigabitEthernet1/2
nameif OA
security-level 0
ip address 192.168.94.11 255.255.255.0
!
interface Redundant2
member-interface GigabitEthernet1/7
member-interface GigabitEthernet1/8
nameif FA
security-level 0
ip address 192.168.247.11 255.255.255.0
ciscoasa# sh run icmp
icmp unreachable rate-limit 1 burst-size 1
icmp permit any OA
icmp permit any FA
ciscoasa# sh run same
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
NAT Configured
object network TCO
host 192.168.247.15
nat (FA,OA) static 192.168.94.16
ciscoasa# sh xlate
1 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from FA:192.168.247.15 to OA:192.168.94.16
flags s idle 0:21:53 timeout 0:00:00
ciscoasa# sh nat
Auto NAT Policies (Section 2)
1 (FA) to (OA) source static TCO 192.168.94.16
translate_hits = 6, untranslate_hits = 358
-----------------------------------------------------------------
Solved! Go to Solution.
09-22-2019 09:35 PM
Thank you for your answers.
But the cause was elsewhere.
It was a matter of policy at the top of the Internet firewall.
I couldn't figure it out easily because that firewall isn't my jurisdiction.
09-03-2019 02:07 PM
Hello,
the NAT configuration looks good actually.
Try and add 'inspect icmp' to the global policy:
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
09-03-2019 05:59 PM
09-03-2019 11:58 PM
Hello,
can the external IP address reach the internal web server through any other port, e.g. 80 or 443 ?
09-22-2019 09:35 PM
Thank you for your answers.
But the cause was elsewhere.
It was a matter of policy at the top of the Internet firewall.
I couldn't figure it out easily because that firewall isn't my jurisdiction.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide