Ping Static NAT IP from Outside Address is very intermittent

Tom Menges · ‎01-04-2013

We have an ASA 5510 and have setup the typical 1-to-1 static NAT addressing to multiple virtual machines. I have an accesss list for the outside interface to allow icmp traffic in. What happens is it will ping an address but it is very intermittent.

Basically:

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit icmp any any echo-reply

access-group outside_access_in in interface outside

NAT looks like this:

static (inside,outside) 1.1.1.10 192.168.21.10 netmask 255.255.255.255 dns

So as you can see the private to public nat is there and the access in from the outside is there as well. One note, the actual IP of the outside has been changed for security reasons. Also, if I ping my outside interface IP address, it re[plies back with 100 percent.

Not sure what is going on.

Outside interface security level 0

Inside interface security level 100

Any help would be appreciated if you have seen this before.

Jouni Forss · ‎01-04-2013

Hi,

Is there any chance of the Static NAT public IP address being overlapping with some other NAT configuration?

Do you have access to the router in front of the ASA or is it purely in the control of the ISP? Or is your default gateway perhaps to the ISP Core? I would try to monitor the ARP for the public IP address and see that it at no point changes which would mean 2 different devices using the same public IP address.

I guess there might even be possibility that the ISP has messed up the routing for the single public IP address (depending how they provision public IP addresses for customer use). They might have the same public IP address routing to 2 different locations which could mean that sometimes the connection work and sometimes not.

I would also if possible have some other publicly accessible host monitored from outside the ASA and see if you are seing the same problem.

You could also capture the ICMP traffic (or other test traffic) on the ASA itself. ( I can give you the configuration if needed) Then you could upload the data from the ASA to a TFTP server and check is the ASA even seeing the Echo Reply from the "inside" host.

You could also constantly ICMP the host in question from the ASA directly to rule out having problem on the LAN routing/switching.

Even though its not related to this problem, have you configured the following

policy-map global_policy

class inspection_default

inspect icmp

It will enable the ICMP Echo Reply messages to go through the firewall automatically (provided the firewall has seen the Echo ofcourse)

- Jouni

Tom Menges · ‎01-04-2013

Thanks for responding Jouni. I was just lookingn at the same infromation you just described. We may have an overlapped IP. I have sent the information over to our IT Admin that setup the ASA. I will have more information later. Hopefully removal of the possible overlapped config will take care of the issue.

Tom Menges · ‎01-10-2013

My issues appear to be solved. All of our NAT'ing as well as our setup for the icmp to be allowed was correct. I did resolve the issue with the dup NAT IP with the default pool IP but that was not causing the isssue and was narrowed down to a server connedted to a switch hanging off of the private (inside interface). Once specific ports were shut down on this switch our ping's were received at 100%. We either have a Linux box with a bad configured windows server or we flat out have a loop. Thank you all for your responses.