Solved

Cisco ASA 5505, Ping an External IP address from inside the Network

Posted on 2013-02-06
6
1,975 Views
Last Modified: 2013-03-11
I have just installed a new Cisco ASA 5505, I previously had a Juniper installed.

The problem I have is that I am unable to ping my external IP addresses from inside my network.
I have a bunch of static IP addresses from my ISP. These are used for servers inside my network. lets say 50.130.90.100, 50.130.90.131 and so on. When I had the juniper as my firewall I was able to ping these from inside my private network 192.168.2.x

I am wondering how to configure the Cisco 5505 so that when I am inside the private network I can still ping my external IP's. I have a service running that requires a connection the external IP but users need to be able to log on from inside the network as well as outside.

THanks
0
Comment
Question by:carloc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 250 total points
ID: 38861678
Add inspect ICMP to the default inspection map, see my site here,

Cisco Firewalls and PING


Pete
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38862884
Try adding

same-security-traffic permit intra-interface
0
 
LVL 8

Accepted Solution

by:
pgolding00 earned 250 total points
ID: 38866564
by design it was not possible in the past to ping any interface other than the one closest to the client. with icmp inspect (see Pete Long above) more is now possible, so it will depend on the version of code running.

with 1 to 1 host address translation for these servers and with names registered in dns for each, and if dns passes through the asa, pinging by name from the inside will work, but only if the dns query and reply pass through the asa, and dns inspect is configured. this works because the asa sees the dns response and looks up its address translation table. if it finds a match, then it substitutes the inside address into the dns response. so the ping ends up being to the inside address, if the source is on the inside.

if this is not the situation, the comments above are more relevant. nat (inside,inside) might be needed also - again, depends on the version.
0
IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

 
LVL 5

Expert Comment

by:Feroz Ahmed
ID: 38875192
Hi,

To ping from Inside to Outside and Outside to Inside Network,your configuration should be as follows once you have configured inside and Outside Interfaces.

ASA(Config)#access-list 101 permit icmp any any echo-reply
ASA(Config)#access-group in interface outside (This configuration for access from Inside network to outside network)
ASA(Config)#access-list 101 permit icmp any any  (this is for access from outside to Inside network)
ASA(Config)#policy-map global_policy
ASA(Config)#class inspection_default
ASA(Config)#Inspect icmp  (this configuration to Inspect ICMP request from inside to outside and outside to Inside).
0
 

Author Comment

by:carloc
ID: 38951163
Hi,
I have eventually got this issue to work with NAT Hairpin. Then I created new NAT rules to allow the an internal ping to resolve to the outside IP address.

I am not sure if this is one of the solutions mentioned above as my firewall skills are limited.

If it is please let me know and I will award you the points.

Thanks for your help guys.
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 38952195
i think Pete Long's and my comments cover the resolution you used. anyone disagree?
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question