01-04-2013 01:40 PM - edited 03-11-2019 05:43 PM
We have an ASA 5510 and have setup the typical 1-to-1 static NAT addressing to multiple virtual machines. I have an accesss list for the outside interface to allow icmp traffic in. What happens is it will ping an address but it is very intermittent.
Basically:
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any echo-reply
access-group outside_access_in in interface outside
NAT looks like this:
static (inside,outside) 1.1.1.10 192.168.21.10 netmask 255.255.255.255 dns
So as you can see the private to public nat is there and the access in from the outside is there as well. One note, the actual IP of the outside has been changed for security reasons. Also, if I ping my outside interface IP address, it re[plies back with 100 percent.
Not sure what is going on.
Outside interface security level 0
Inside interface security level 100
Any help would be appreciated if you have seen this before.
01-04-2013 01:51 PM
Hi,
Is there any chance of the Static NAT public IP address being overlapping with some other NAT configuration?
Do you have access to the router in front of the ASA or is it purely in the control of the ISP? Or is your default gateway perhaps to the ISP Core? I would try to monitor the ARP for the public IP address and see that it at no point changes which would mean 2 different devices using the same public IP address.
I guess there might even be possibility that the ISP has messed up the routing for the single public IP address (depending how they provision public IP addresses for customer use). They might have the same public IP address routing to 2 different locations which could mean that sometimes the connection work and sometimes not.
I would also if possible have some other publicly accessible host monitored from outside the ASA and see if you are seing the same problem.
You could also capture the ICMP traffic (or other test traffic) on the ASA itself. ( I can give you the configuration if needed) Then you could upload the data from the ASA to a TFTP server and check is the ASA even seeing the Echo Reply from the "inside" host.
You could also constantly ICMP the host in question from the ASA directly to rule out having problem on the LAN routing/switching.
Even though its not related to this problem, have you configured the following
policy-map global_policy
class inspection_default
inspect icmp
It will enable the ICMP Echo Reply messages to go through the firewall automatically (provided the firewall has seen the Echo ofcourse)
- Jouni
01-04-2013 02:01 PM
Thanks for responding Jouni. I was just lookingn at the same infromation you just described. We may have an overlapped IP. I have sent the information over to our IT Admin that setup the ASA. I will have more information later. Hopefully removal of the possible overlapped config will take care of the issue.
01-10-2013 05:17 AM
My issues appear to be solved. All of our NAT'ing as well as our setup for the icmp to be allowed was correct. I did resolve the issue with the dup NAT IP with the default pool IP but that was not causing the isssue and was narrowed down to a server connedted to a switch hanging off of the private (inside interface). Once specific ports were shut down on this switch our ping's were received at 100%. We either have a Linux box with a bad configured windows server or we flat out have a loop. Thank you all for your responses.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide