Cannot get connectivity through static mappings on Cisco ASA 5510 security appliance

I have been trying in vain to get two statically mapped IP addresses to communicate through a Cisco ASA 5510 via ports 11159 and 11160. The IP addresses are mapped to local IP's on a LAN, and they belong to two pieces of German manufacturing equipment, which I know nothing about. I can ping the two IP's locally (10.1.1.52, .53) but cannot ping from outside the ASA (68.91.221.24, 23). I can ping any of my statically mapped Microsoft servers from outside the firewall. What the heck am I doing wrong? I created a similar scenario yesterday for a video system in less than 5 minutes and it works fine. The company needing access is in Germany and I have to go back and forth each day due to time differences. Any help is desperately needed!  Current running config is attached. The mappings to port 80 for these IP's is strictly for testing and are not needed.
  asa5510.txt
djaabramsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeKaneCommented:
I only see 1 static for 10.1.1.52.
static (inside,outside) 68.91.221.23 10.1.1.52 netmask 255.255.255.255

I do not see a static for a 10.1.1.53 address.   You will need to add this.  ( I do see a mapping for 10.1.1.52, did you mean 52 instead?)



The access lists only shows 11159 to 1 IP and 11160 to the 2nd.    The ACL should instead look like this to allow both ports to both IPs.
access-list outsideACL extended permit tcp any host 68.91.221.24 eq 11159
access-list outsideACL extended permit tcp any host 68.91.221.23 eq 11159
access-list outsideACL extended permit tcp any host 68.91.221.24 eq 11160
access-list outsideACL extended permit tcp any host 68.91.221.23 eq 11160
MikeKaneCommented:
Oops:
I do see a mapping for 10.1.1.52, did you mean 52 instead?)

should read
I do see a mapping for 10.1.1.51, did you mean 51 instead?)
djaabramsAuthor Commented:
I'm sorry, the internal IP's are .51 and .52. The specs given to me by the company just called for port 11159 to be assigned to one machine, and 11160 assigned to the other. No clue why, just doing what they asked. I still don't understand why the ASA won't pass icmp requests through the static mapping
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

MikeKaneCommented:
Oh - I didn't know you wanted ICMP Ping.      The stuff I gate you is just TCP for those ports.  

For icmp you'll need:
access-list outside_access_in extended permit icmp any any

or for just the 2 hosts:
access-list outside_access_in extended permit icmp any host 68.91.221.24
access-list outside_access_in extended permit icmp any host 68.91.221.23
djaabramsAuthor Commented:
I have those commands in place, and still cannot ping through the firewall. Pinging on the local lan works fine, so I know that ithe machines are capable of responding to icmp echos. Is it possible that there is something wrong with the external IP addresses? We have the range of 68.91.221.17-30. I have at least 8 devices with static mappings that I can ping and access through the firewall. I'm perplexed at this point.
MikeKaneCommented:
Quite right on the ACL - my bad.  

Try the following :


policy-map global_policy
    class inspection_default
     inspect icmp

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
djaabramsAuthor Commented:
still no luck...
3nerdsCommented:
Just going to add an outside perspective, as Mike has covered what I would have. By chance is the default gateway on the German piece of equipment either missing or wrong? Reason i ask is the config looks sound and you have an odd (different then i would use) inside address.

Good Luck.

3nerds
djaabramsAuthor Commented:
It is possible, although they treat the equipment as "top secret" and won't let me look at the config. The did ask me for the default gateway when they first got here to work. Unfortuately they left the country this afternoon and I can no longer ping their machines locally. Incidentally, I agree about the IP scheme, but it was designed a decade ago when another vendor installed a 3COM IP phone system. I will have to abandon the question for now since I have no method of testing. Thanks all for the comments and assistance
MikeKaneCommented:
Nice catch 3nerds...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.