Solved

Cisco ASA 5505, Ping an External IP address from inside the Network

Posted on 2013-02-06
6
1,918 Views
Last Modified: 2013-03-11
I have just installed a new Cisco ASA 5505, I previously had a Juniper installed.

The problem I have is that I am unable to ping my external IP addresses from inside my network.
I have a bunch of static IP addresses from my ISP. These are used for servers inside my network. lets say 50.130.90.100, 50.130.90.131 and so on. When I had the juniper as my firewall I was able to ping these from inside my private network 192.168.2.x

I am wondering how to configure the Cisco 5505 so that when I am inside the private network I can still ping my external IP's. I have a service running that requires a connection the external IP but users need to be able to log on from inside the network as well as outside.

THanks
0
Comment
Question by:carloc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 250 total points
ID: 38861678
Add inspect ICMP to the default inspection map, see my site here,

Cisco Firewalls and PING


Pete
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38862884
Try adding

same-security-traffic permit intra-interface
0
 
LVL 8

Accepted Solution

by:
pgolding00 earned 250 total points
ID: 38866564
by design it was not possible in the past to ping any interface other than the one closest to the client. with icmp inspect (see Pete Long above) more is now possible, so it will depend on the version of code running.

with 1 to 1 host address translation for these servers and with names registered in dns for each, and if dns passes through the asa, pinging by name from the inside will work, but only if the dns query and reply pass through the asa, and dns inspect is configured. this works because the asa sees the dns response and looks up its address translation table. if it finds a match, then it substitutes the inside address into the dns response. so the ping ends up being to the inside address, if the source is on the inside.

if this is not the situation, the comments above are more relevant. nat (inside,inside) might be needed also - again, depends on the version.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 5

Expert Comment

by:Feroz Ahmed
ID: 38875192
Hi,

To ping from Inside to Outside and Outside to Inside Network,your configuration should be as follows once you have configured inside and Outside Interfaces.

ASA(Config)#access-list 101 permit icmp any any echo-reply
ASA(Config)#access-group in interface outside (This configuration for access from Inside network to outside network)
ASA(Config)#access-list 101 permit icmp any any  (this is for access from outside to Inside network)
ASA(Config)#policy-map global_policy
ASA(Config)#class inspection_default
ASA(Config)#Inspect icmp  (this configuration to Inspect ICMP request from inside to outside and outside to Inside).
0
 

Author Comment

by:carloc
ID: 38951163
Hi,
I have eventually got this issue to work with NAT Hairpin. Then I created new NAT rules to allow the an internal ping to resolve to the outside IP address.

I am not sure if this is one of the solutions mentioned above as my firewall skills are limited.

If it is please let me know and I will award you the points.

Thanks for your help guys.
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 38952195
i think Pete Long's and my comments cover the resolution you used. anyone disagree?
0

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Show IP BGP Information 10 73
Advice on router and switch 25 85
pfsense upgrade from 2.2.6 to 2.3.3 28 89
Cisco Nexus 5 61
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question