?
Solved

PAT, ping and ASA5520

Posted on 2011-02-12
4
Medium Priority
?
1,726 Views
Last Modified: 2012-05-11
Got to allow pings from a specific server to my global pat address.  The Outside interface has an address, and I've allowed pings to that.  The address that I use for PAT is not the same as that configured on Outside interface of my ASA.  How would I allow a specific server to ping that?
0
Comment
Question by:dcyberdoc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34878920
Hi,


Please refer this page howto do it:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#s11

you need to enable echo on outside ACL

Best regards,
Istvan
0
 

Author Comment

by:dcyberdoc
ID: 34879708
First and foremost, thanks for taking the time to reply.  

Sadly, that is not the solution to my particular quandary and I must have been unclear on my issue.  I did find that document, but it didn't really address my particular situation.

I have enabled icmp echo on the outside interface.  The outside IP is ???.???.???.42.  The global pat ip is ???.???.???..8.  I CAN ping the outside interface - .42 - from the server I'm allowing icmp from (which I couldn't when I started this exercise).  I cannot ping the .8 address.

here are some relevant configs:

!
interface GigabitEthernet0/0
 description Trunk
 no nameif
 security-level 0
 no ip address
!
interface GigabitEthernet0/0.100
 vlan xxx
 nameif outside
 security-level 0
 ip address ???.???.???.42 255.255.255.0 standby ???.???.???.43
!

icmp permit any echo-reply outside
icmp permit any outside

global (outside) 1 ???.???.???.8

access-list from-outside extended permit icmp host xxx.xxx.xxx.9 host ???.???.???.8 echo
access-list from-outside extended permit icmp host xxx.xxx.xxx.9 host ???.???.???..8 echo-reply

access-group from-outside in interface outside

Once again, thanks for your help.  
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 34880144
You cannot get there from here.
You cannot ping a dynamic address that is not assigned to an interface.
Your global address is a dynamic PAT address.
PAT address is only used to set up specific connections for outbound traffic and the translation is only made for the specific port requiring it, and only for the duration required to complete the connection.
In order for a natted IP to respond to a ping, there must be a static xlate to an internal host that will respond.
Since ICMP has no concept of individual ports, you cannot port-forward just icmp to an internal host, and keep the rest dynamic.


0
 

Author Closing Comment

by:dcyberdoc
ID: 34902684
When you can't, you can't.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question