Cisco ASA 5516 - Enable ICMP for Public IP (NAT)

Hi guys,

I've  been working on ASA5516 (newbie) and I've setup Dynamic Nat for our Internal servers so that each internal server corresponds to one Public IP. The problem is I can't seem to ping any of my Public IP addresses ( for troubleshooting purposes) except for the ASA's outside interface IP. I know that my NAT is working properly since I was able to access the service hosted on my test server.

Sample:
outside interface:  208.80.10.1 /24    
inside interface: 10.10.11.1 /24

nat (inside,outside) source static testsvr 208.80.10.10 service service-http service-http  

I've already tried below commands but with no luck:

policy-map global_policy
 class inspection_default
   inspect icmp


icmp permit any outside
icmp permit any inside


access-list ACL-Outbound extended permit icmp any any
access-list ACL-Inbound extended permit icmp any any

access-group ACL-Outbound in interface inside
access-group ACL-Inbound in interface outside

Any advice? Thanks

Lester
LesterJr. Network EngineerAsked:
Who is Participating?
 
Ken BooneNetwork ConsultantCommented:
So I can interprett what you said in two ways.. max_the_king interpreting that you natted all of your servers to a single IP.  If that is correct, then yes he is right.  If you meant that you natted each server to its own single IP address then you can do what you want.

If that is the problem then your NAT statement is incorrect.

You did this:
nat (inside,outside) source static testsvr 208.80.10.10 service service-http service-http  

You should do this:
nat (inside,outside) source static  testsvr 208.80.10.10

What you did was NAT only in the case of and http connection.  What I showed you is a complete NAT for all traffic to that IP.  Then you use your ACLs to control what ports are allowed in.
1
 
max_the_kingCommented:
Hi,
you have natted ONE public IP and shared this to MANY internal IP ... you cannot possibly ping them from outside (icmp packet wouldn't know which host it has to reach).

max
1
 
LesterJr. Network EngineerAuthor Commented:
Thanks for your reply Ken  I will try to do this and will get back to you asap..
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
ArchiTech89IT Security EngineerCommented:
This is odd to me. If this is global NAT, then testsvr would have to be preceded with network object, wouldn't it? And if this is object NAT, then there is no source static--there's just static by itself. Isn't that correct?

I agree with Ken--use the ACLs to control the specific protocols/ports, either with keywords or service objects.
0
 
Ken BooneNetwork ConsultantCommented:
Yea ArchiTech89.. there are so many variation now that under the object the nat statement should have been

nat (inside, outside) source static 208.80.10.10
0
 
LesterJr. Network EngineerAuthor Commented:
Thank you all for your help, this case has been resolved
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.