• Advertisement

Ping to PAT internal server on ASA 5510

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.

Ping to PAT internal server on ASA 5510

Postby Guest » Tue Jan 11, 2011 3:36 pm


Hi all,

My customer needs to enable icmp destined for a global IP address which are PAT translated

to two different internal servers...

My current configuration on the ASA 5510 is:

static (dmz,outside) tcp glocal_IP ssh 172.16.XX.31 ssh netmask 255.255.255.255

static (dmz,outside) tcp glocal_IP 5900 172.16.XX.50 5900 netmask 255.255.255.255

static (dmz,outside) tcp glocal_IP https 172.16.XX.50 https netmask 255.255.255.255

Is there any idea to enable ping from outside to the glocal IP address ?

Any suggestions are welcome...

Thanks in advance

Masa

Guest
 

Advertisement

Re:Ping to PAT internal server on ASA 5510

Postby Guest » Tue Jan 11, 2011 4:43 pm


Masa-

Do you have ICMP enabled? You should see something like this (or add this).

icmp permit any echo-reply outside

Guest
 

Re:Ping to PAT internal server on ASA 5510

Postby Guest » Tue Jan 11, 2011 6:05 pm


it does not matter if you have "icmp permit any outside".  How can you ping a global IP address for tcp port-redirect of a global IP address if you do not have icmp translation?

It is NOT possible, AFAIK.  You can ping if you have a static entry with NO "tcp" or "udp" in the static entry.

I think Collin mis-read your original question.

Guest
 

Re:Ping to PAT internal server on ASA 5510

Postby Guest » Tue Jan 11, 2011 6:16 pm


Read too fast- I thought the translations were to the interface in which the only way to ping is to the interface of the ASA and hence the icmp permit any echo outside.

Guest
 

Re:Ping to PAT internal server on ASA 5510

Postby Guest » Tue Jan 11, 2011 7:11 pm


I don't think that is correct either. 

By default, the ASA will ALLOW you to ping the interface without entering any "icmp permit any" commands. 

Unless the original poster has already dis-allowed icmp or whatever restrictions to the outside interface, he/she should be able to ping the interface without any issues.

Now this is a different story if you use FWSM.  FWSM, the new code, will deny by default, whereas ASA/Pix by default, will allow unless explicitly dennied.

Guest
 

Next


  • Advertisement


Similar topics


Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 4 guests