Solved

PAT, ping and ASA5520

Posted on 2011-02-12
4
1,721 Views
Last Modified: 2012-05-11
Got to allow pings from a specific server to my global pat address.  The Outside interface has an address, and I've allowed pings to that.  The address that I use for PAT is not the same as that configured on Outside interface of my ASA.  How would I allow a specific server to ping that?
0
Comment
Question by:dcyberdoc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34878920
Hi,


Please refer this page howto do it:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#s11

you need to enable echo on outside ACL

Best regards,
Istvan
0
 

Author Comment

by:dcyberdoc
ID: 34879708
First and foremost, thanks for taking the time to reply.  

Sadly, that is not the solution to my particular quandary and I must have been unclear on my issue.  I did find that document, but it didn't really address my particular situation.

I have enabled icmp echo on the outside interface.  The outside IP is ???.???.???.42.  The global pat ip is ???.???.???..8.  I CAN ping the outside interface - .42 - from the server I'm allowing icmp from (which I couldn't when I started this exercise).  I cannot ping the .8 address.

here are some relevant configs:

!
interface GigabitEthernet0/0
 description Trunk
 no nameif
 security-level 0
 no ip address
!
interface GigabitEthernet0/0.100
 vlan xxx
 nameif outside
 security-level 0
 ip address ???.???.???.42 255.255.255.0 standby ???.???.???.43
!

icmp permit any echo-reply outside
icmp permit any outside

global (outside) 1 ???.???.???.8

access-list from-outside extended permit icmp host xxx.xxx.xxx.9 host ???.???.???.8 echo
access-list from-outside extended permit icmp host xxx.xxx.xxx.9 host ???.???.???..8 echo-reply

access-group from-outside in interface outside

Once again, thanks for your help.  
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 34880144
You cannot get there from here.
You cannot ping a dynamic address that is not assigned to an interface.
Your global address is a dynamic PAT address.
PAT address is only used to set up specific connections for outbound traffic and the translation is only made for the specific port requiring it, and only for the duration required to complete the connection.
In order for a natted IP to respond to a ping, there must be a static xlate to an internal host that will respond.
Since ICMP has no concept of individual ports, you cannot port-forward just icmp to an internal host, and keep the rest dynamic.


0
 

Author Closing Comment

by:dcyberdoc
ID: 34902684
When you can't, you can't.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question