Cisco ASA 5516 - Enable ICMP for Public IP (NAT)

Hi guys,

I've  been working on ASA5516 (newbie) and I've setup Dynamic Nat for our Internal servers so that each internal server corresponds to one Public IP. The problem is I can't seem to ping any of my Public IP addresses ( for troubleshooting purposes) except for the ASA's outside interface IP. I know that my NAT is working properly since I was able to access the service hosted on my test server.

Sample:
outside interface:  208.80.10.1 /24    
inside interface: 10.10.11.1 /24

nat (inside,outside) source static testsvr 208.80.10.10 service service-http service-http  

I've already tried below commands but with no luck:

policy-map global_policy
 class inspection_default
   inspect icmp


icmp permit any outside
icmp permit any inside


access-list ACL-Outbound extended permit icmp any any
access-list ACL-Inbound extended permit icmp any any

access-group ACL-Outbound in interface inside
access-group ACL-Inbound in interface outside

Any advice? Thanks

Lester
LesterJr. Network EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

max_the_kingCommented:
Hi,
you have natted ONE public IP and shared this to MANY internal IP ... you cannot possibly ping them from outside (icmp packet wouldn't know which host it has to reach).

max
1
Ken BooneNetwork ConsultantCommented:
So I can interprett what you said in two ways.. max_the_king interpreting that you natted all of your servers to a single IP.  If that is correct, then yes he is right.  If you meant that you natted each server to its own single IP address then you can do what you want.

If that is the problem then your NAT statement is incorrect.

You did this:
nat (inside,outside) source static testsvr 208.80.10.10 service service-http service-http  

You should do this:
nat (inside,outside) source static  testsvr 208.80.10.10

What you did was NAT only in the case of and http connection.  What I showed you is a complete NAT for all traffic to that IP.  Then you use your ACLs to control what ports are allowed in.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LesterJr. Network EngineerAuthor Commented:
Thanks for your reply Ken  I will try to do this and will get back to you asap..
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

ArchiTech89IT Security EngineerCommented:
This is odd to me. If this is global NAT, then testsvr would have to be preceded with network object, wouldn't it? And if this is object NAT, then there is no source static--there's just static by itself. Isn't that correct?

I agree with Ken--use the ACLs to control the specific protocols/ports, either with keywords or service objects.
0
Ken BooneNetwork ConsultantCommented:
Yea ArchiTech89.. there are so many variation now that under the object the nat statement should have been

nat (inside, outside) source static 208.80.10.10
0
LesterJr. Network EngineerAuthor Commented:
Thank you all for your help, this case has been resolved
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASA

From novice to tech pro — start learning today.