The outside IPv4 addresses in a NAT pool can be configured to answer pings. ICMPv4 Echo Requests are answered with ICMPv4 Echo Replies.
In 1:1 NAT, ICMP Echo Requests are propagated to the host on the inside. The host identified by a NAT binding then answers the ping.
In Network Address Port Translation (NAPT), ICMP Echo Requests are not propagated to the hosts behind the NAT. Instead, the reply is issued by the SR OS from the ESA or ISA.
In NAPT, the behavior is as follows:
In L2-aware NAT when port-block-extensions is disabled, the reply from an outside IP address is generated only when the IP address has at least one host (binding) behind it.
In L2-aware NAT when port-block-extensions is enabled, the reply from an outside IP address is generated regardless if a binding is present.
In LSN, the reply from an outside IP address is generated regardless if a binding is present.
For security reasons, the ICMP Echo Reply functionality is disabled by default. The following commands enable the behavior:
Classic CLI
configure
router
nat
outside
pool <name> nat-group <id> type <large-scale|l2-aware|wlan-gw-anchor>
[no] icmp-echo-reply
MD-CLI
configure {
router ‟Base” | service vprn <name> {
nat {
outside {
pool <name> {
icmp-echo-reply <boolean>
}
}
}
}
}
This functionality is on a per pool basis and it can be configured online while the pool is enabled.