Ping to PAT internal server on ASA 5510

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
Guest

Re:Ping to PAT internal server on ASA 5510

Post by Guest » Tue Jan 11, 2011 8:23 pm


static (dmz,outside) tcp glocal_IP ssh 172.16.XX.31 ssh netmask 255.255.255.255static (dmz,outside) tcp glocal_IP 5900 172.16.XX.50 5900 netmask 255.255.255.255static (dmz,outside) tcp glocal_IP https 172.16.XX.50 https netmask 255.255.255.255 With these above lines you cannot ping the global_ip from the internet.You need to have static 1-1 translation configured for that in addition to the acl applied on the outside permitting this ICMP traffic.ex:static (dmz,outside) glocal_IP 172.16.XX.31 netmask 255.255.255.255Now, there is another question what if the global_ip is your outside interface IP, in that case you need to use the keyword "interface" and not specify the IP address.ex:static (dmz,outside) tcp interface ssh 172.16.XX.31 ssh netmask 255.255.255.255Also, there is a question on this thread about whether PIX/ASA/FWSM respond to ICMP by default. PIX/ASA by default respond to ICMP request unless it is specifically denied.On the FWMS not just in new code in all the codes starting from the very beginning ICMP is denied by default to the interfaces unless it is allowedex:icmp permit any inside

Guest

Re:Ping to PAT internal server on ASA 5510

Post by Guest » Tue Jan 11, 2011 8:40 pm


collin,cisco24x7,kusankar:Thank you all for your reply.kusankar's post has cleared my question.I am going to ask my customer to assign another global IP, if possible,for static 1-1 translation (and also going to apply acl which permitsthe icmp traffic).thank you.Masa

Post Reply