Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

PAT, ping and ASA5520

Posted on 2011-02-12
4
Medium Priority
?
1,730 Views
Last Modified: 2012-05-11
Got to allow pings from a specific server to my global pat address.  The Outside interface has an address, and I've allowed pings to that.  The address that I use for PAT is not the same as that configured on Outside interface of my ASA.  How would I allow a specific server to ping that?
0
Comment
Question by:dcyberdoc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34878920
Hi,


Please refer this page howto do it:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#s11

you need to enable echo on outside ACL

Best regards,
Istvan
0
 

Author Comment

by:dcyberdoc
ID: 34879708
First and foremost, thanks for taking the time to reply.  

Sadly, that is not the solution to my particular quandary and I must have been unclear on my issue.  I did find that document, but it didn't really address my particular situation.

I have enabled icmp echo on the outside interface.  The outside IP is ???.???.???.42.  The global pat ip is ???.???.???..8.  I CAN ping the outside interface - .42 - from the server I'm allowing icmp from (which I couldn't when I started this exercise).  I cannot ping the .8 address.

here are some relevant configs:

!
interface GigabitEthernet0/0
 description Trunk
 no nameif
 security-level 0
 no ip address
!
interface GigabitEthernet0/0.100
 vlan xxx
 nameif outside
 security-level 0
 ip address ???.???.???.42 255.255.255.0 standby ???.???.???.43
!

icmp permit any echo-reply outside
icmp permit any outside

global (outside) 1 ???.???.???.8

access-list from-outside extended permit icmp host xxx.xxx.xxx.9 host ???.???.???.8 echo
access-list from-outside extended permit icmp host xxx.xxx.xxx.9 host ???.???.???..8 echo-reply

access-group from-outside in interface outside

Once again, thanks for your help.  
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 34880144
You cannot get there from here.
You cannot ping a dynamic address that is not assigned to an interface.
Your global address is a dynamic PAT address.
PAT address is only used to set up specific connections for outbound traffic and the translation is only made for the specific port requiring it, and only for the duration required to complete the connection.
In order for a natted IP to respond to a ping, there must be a static xlate to an internal host that will respond.
Since ICMP has no concept of individual ports, you cannot port-forward just icmp to an internal host, and keep the rest dynamic.


0
 

Author Closing Comment

by:dcyberdoc
ID: 34902684
When you can't, you can't.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question