Solved

Cisco ASA 5505, Ping an External IP address from inside the Network

Posted on 2013-02-06
6
1,827 Views
Last Modified: 2013-03-11
I have just installed a new Cisco ASA 5505, I previously had a Juniper installed.

The problem I have is that I am unable to ping my external IP addresses from inside my network.
I have a bunch of static IP addresses from my ISP. These are used for servers inside my network. lets say 50.130.90.100, 50.130.90.131 and so on. When I had the juniper as my firewall I was able to ping these from inside my private network 192.168.2.x

I am wondering how to configure the Cisco 5505 so that when I am inside the private network I can still ping my external IP's. I have a service running that requires a connection the external IP but users need to be able to log on from inside the network as well as outside.

THanks
0
Comment
Question by:carloc
6 Comments
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 250 total points
ID: 38861678
Add inspect ICMP to the default inspection map, see my site here,

Cisco Firewalls and PING


Pete
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38862884
Try adding

same-security-traffic permit intra-interface
0
 
LVL 8

Accepted Solution

by:
pgolding00 earned 250 total points
ID: 38866564
by design it was not possible in the past to ping any interface other than the one closest to the client. with icmp inspect (see Pete Long above) more is now possible, so it will depend on the version of code running.

with 1 to 1 host address translation for these servers and with names registered in dns for each, and if dns passes through the asa, pinging by name from the inside will work, but only if the dns query and reply pass through the asa, and dns inspect is configured. this works because the asa sees the dns response and looks up its address translation table. if it finds a match, then it substitutes the inside address into the dns response. so the ping ends up being to the inside address, if the source is on the inside.

if this is not the situation, the comments above are more relevant. nat (inside,inside) might be needed also - again, depends on the version.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 5

Expert Comment

by:Feroz Ahmed
ID: 38875192
Hi,

To ping from Inside to Outside and Outside to Inside Network,your configuration should be as follows once you have configured inside and Outside Interfaces.

ASA(Config)#access-list 101 permit icmp any any echo-reply
ASA(Config)#access-group in interface outside (This configuration for access from Inside network to outside network)
ASA(Config)#access-list 101 permit icmp any any  (this is for access from outside to Inside network)
ASA(Config)#policy-map global_policy
ASA(Config)#class inspection_default
ASA(Config)#Inspect icmp  (this configuration to Inspect ICMP request from inside to outside and outside to Inside).
0
 

Author Comment

by:carloc
ID: 38951163
Hi,
I have eventually got this issue to work with NAT Hairpin. Then I created new NAT rules to allow the an internal ping to resolve to the outside IP address.

I am not sure if this is one of the solutions mentioned above as my firewall skills are limited.

If it is please let me know and I will award you the points.

Thanks for your help guys.
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 38952195
i think Pete Long's and my comments cover the resolution you used. anyone disagree?
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Hi there, This article summarizes what you need if you are going to set up your home or small business Network Attached Storage (NAS) to be accessible from the internet. Of course there are configuration differences based on your NAS or router ma…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now