ASA 5520 NAT ICMP replies Private and not Public

I have an ASA 5520 along with a Cisco 3745 Router.  Here is the problem.  I have two separate external networks coming into the ASA and one internal network  you can see from the config of what I have.  I have two Static Policy NAT Entries pointing --> and -->
I also have four access rules that allow for ICMP and Telnet.  I can telnet to and it opens the telnet session to and I can also telnet to which also works just fine.  The pings however will not work unless I create a nat rule that sends the traffic out the main GIG0/0 interface. I would liike to be able to pint and get a reply from and not or the internal IP  I hope this makes sense...

this is my configuration

asdm image disk0:/asdm-508.bin
asdm location L3_BPG_10_11
asdm location L3_10_12
no asdm history enable
: Saved
ASA Version 7.0(8)
hostname ciscoasa
domain-name default.domain.invalid
enable password NsS17GIs/Rj9OkMS encrypted
passwd bJO8SfDiWpZaUwph encrypted
interface GigabitEthernet0/0
 description Diamond DR Lan
 nameif DL_172_16
 security-level 100
 ip address
interface GigabitEthernet0/1
 description Internet Connection holding all IP's
 nameif L3_Internet
 security-level 5
 ip address
interface GigabitEthernet0/1.1
 description L3 BGP Network
 vlan 200
 nameif L3_BPG_10_11
 security-level 0
 ip address
interface GigabitEthernet0/1.2
 vlan 300
 nameif L3_10_12
 security-level 0
 ip address
interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address
ftp mode passive
same-security-traffic permit inter-interface
access-list DL_172_16_pnat_outbound extended permit ip host any
access-list DL_172_16_pnat_outbound_V1 extended permit ip host any
access-list L3_BPG_10_11_access_in extended permit tcp any host eq telnet
access-list L3_BPG_10_11_access_in extended permit icmp any host
access-list L3_10_12_access_in extended permit tcp any host eq telnet
access-list L3_10_12_access_in extended permit icmp any host
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu DL_172_16 1500
mtu L3_Internet 1500
mtu L3_BPG_10_11 1500
mtu L3_10_12 1500
no failover
monitor-interface management
monitor-interface DL_172_16
monitor-interface L3_Internet
no monitor-interface L3_BPG_10_11
no monitor-interface L3_10_12
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (L3_BPG_10_11) 11 interface
global (L3_10_12) 12 interface
static (DL_172_16,L3_BPG_10_11)  access-list DL_172_16_pnat_outbound dns
static (DL_172_16,L3_10_12)  access-list DL_172_16_pnat_outbound_V1 dns
static (DL_172_16,L3_Internet) netmask
access-group L3_BPG_10_11_access_in in interface L3_BPG_10_11
access-group L3_10_12_access_in in interface L3_10_12
route L3_Internet 1
route L3_BPG_10_11 3
route L3_10_12 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet DL_172_16
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
: end

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Is there 2 separate servers that your accessing for testing, or is it just one server with 2 NICs?  I.e. are and on completely separate devices?

jakmalAuthor Commented:
they are on the same Server.
That is likely the source of the problem.  TCP, the protocol used for telnet is session based, thus the server is able to reply out the interface the traffic came in on and use the default gateway for that interface.  But for non-session based protocols like ICMP or UDP using a single server with 2 interfaces and 2 default gateways will not work in that fashion.  The server is unable to reply out the interface that the traffic came in on, thus ping appears not to work.  

Is this a testing configuration or the end configuration?  If its the testing configuration then use 2 separate servers to test the environment.  If it's the end configuration the only solution I can think of would be to PAT all internet traffic to the 2 inside interfaces.  
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

jakmalAuthor Commented:
it is a test environment that will be mimicked in porduction.  I have two ISP address spaces coming into the ASA and need to route them to the same server for web services.  I will look into doing PAT.

jakmalAuthor Commented:
Here is a question around this then.  since I added Nat statements for anything internal to external interface my ICMP replies work but I am getting replies from my internal Address not the public IP.  Is there anyway that these can be converted to proper public IP's.  when I ping i get replies from
Again this is happening because the server can't send the traffic out the correct interface when you use ICMP.  So your seeing asymmetric routing.  You send inbound traffic in to, but the replies come back out  Because you have 1 server with 2 default routes, one of those routes gets used for ICMP replies.  So the traffic will appear to always come from that IP no matter which interface you ping.

jakmalAuthor Commented:
Actually the server has a single route back to the ASA.  the IP address is just a secondary IP on the same network card.  they are all part of a single network range so default gateway is the same. with gateway of
So the server has 1 NIC with 2 IPs on it, primary being, and the additional being  If so then again the issue is the same. The ICMP replies will use the default gateway and thus be seen as coming "from" the primary IP of the server.   Is this a Windows 2008 server?  If so then you should be aware there are other issues that can arise from having 2 IPs on the same NIC on the same server.  Here's some articles to review if using windows:

Also, are you testing this through an Internet connection from a completely different subnet then one of the ones that you have on the firewall?  If so then it would not likely work.  The ASA can not use 2 default gateways at the same time.  One will be used unless that interface is down and then the other will be used.  So you will not be able to connect this firewall to 2 Internet connections and access the external IPs from the Internet through 2 separate ISPs.

jakmalAuthor Commented:
Private IP's are and
ASA Interface GIG 0/1 Gateway Metric1
ASA Sub interface VLAN200 GIG 0/1.1 -->
ASA Sub interface VLAN300 GIG 0/1.2 -->
The end game is that I have one ISP that is handing me two separate network schemes.  One is using BGP and the other is not using any BGP.
I would consider redesigning the solution to accomplish what you're trying to do.   Have 1 Outside interface to connect to the ISP router.  Have the ISP set a static route for the non-BGP subnet and point it directly to your firewall IP address.

Have 2 IP addresses on the server, setup static NATing for each IP address.   One into the BGP IP block and one in to the non-BGP IP block.

Doing it this way keeps the ASA from having to have 2 default gateways and be connected via 2 interfaces to the Internet.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jakmalAuthor Commented:
Thank you this is what I needed answered as to how to accomplish this.
jakmalAuthor Commented:
I was able to successfully build out the configuration and all was successful!!!  Thank you again.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.