Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ASA 5505, Ping an External IP address from inside the Network

Posted on 2013-02-06
6
Medium Priority
?
2,083 Views
Last Modified: 2013-03-11
I have just installed a new Cisco ASA 5505, I previously had a Juniper installed.

The problem I have is that I am unable to ping my external IP addresses from inside my network.
I have a bunch of static IP addresses from my ISP. These are used for servers inside my network. lets say 50.130.90.100, 50.130.90.131 and so on. When I had the juniper as my firewall I was able to ping these from inside my private network 192.168.2.x

I am wondering how to configure the Cisco 5505 so that when I am inside the private network I can still ping my external IP's. I have a service running that requires a connection the external IP but users need to be able to log on from inside the network as well as outside.

THanks
0
Comment
Question by:carloc
6 Comments
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 750 total points
ID: 38861678
Add inspect ICMP to the default inspection map, see my site here,

Cisco Firewalls and PING


Pete
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38862884
Try adding

same-security-traffic permit intra-interface
0
 
LVL 8

Accepted Solution

by:
pgolding00 earned 750 total points
ID: 38866564
by design it was not possible in the past to ping any interface other than the one closest to the client. with icmp inspect (see Pete Long above) more is now possible, so it will depend on the version of code running.

with 1 to 1 host address translation for these servers and with names registered in dns for each, and if dns passes through the asa, pinging by name from the inside will work, but only if the dns query and reply pass through the asa, and dns inspect is configured. this works because the asa sees the dns response and looks up its address translation table. if it finds a match, then it substitutes the inside address into the dns response. so the ping ends up being to the inside address, if the source is on the inside.

if this is not the situation, the comments above are more relevant. nat (inside,inside) might be needed also - again, depends on the version.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 5

Expert Comment

by:Feroz Ahmed
ID: 38875192
Hi,

To ping from Inside to Outside and Outside to Inside Network,your configuration should be as follows once you have configured inside and Outside Interfaces.

ASA(Config)#access-list 101 permit icmp any any echo-reply
ASA(Config)#access-group in interface outside (This configuration for access from Inside network to outside network)
ASA(Config)#access-list 101 permit icmp any any  (this is for access from outside to Inside network)
ASA(Config)#policy-map global_policy
ASA(Config)#class inspection_default
ASA(Config)#Inspect icmp  (this configuration to Inspect ICMP request from inside to outside and outside to Inside).
0
 

Author Comment

by:carloc
ID: 38951163
Hi,
I have eventually got this issue to work with NAT Hairpin. Then I created new NAT rules to allow the an internal ping to resolve to the outside IP address.

I am not sure if this is one of the solutions mentioned above as my firewall skills are limited.

If it is please let me know and I will award you the points.

Thanks for your help guys.
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 38952195
i think Pete Long's and my comments cover the resolution you used. anyone disagree?
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question