ICMP echo-request: untranslating outside

Answered Question
Apr 26th, 2007
User Badges:


Hi please Help if you can


I'm trying to access from the outside interface using ping from a router 172.24.16.5, where there is a

ip route 172.24.16.8 255.255.255.255 172.24.16.7


The device i'm trying to ping is on the inside side of the pix and has ip of 10.10.10.175 and responds to ping from the PIX


the router 172.24.16.5 on the outside side of the pix also reponds to pings from the pix


Enabling debug iCMP trace and pinging 172.24.16.8 from the router 172.24.16.5 i do get the following messages

----------------------------------------------------------------------------------------------------


macaefw2# debug icmp trace

ICMP trace on

Warning: this may cause problems on busy networks

macaefw2# 102: ICMP echo-request from outside:172.24.16.5 to 172.24.16.8 ID=56 seq=0 length=80

103: ICMP echo-request: untranslating outside:172.24.16.8 to inside:10.10.10.175

104: ICMP echo-request from outside:172.24.16.5 to 172.24.16.8 ID=56 seq=1 length=80

105: ICMP echo-request: untranslating outside:172.24.16.8 to inside:10.10.10.175


From the sh log enabled i do see

--------------------------------


605005: Login permitted from 172.22.20.142/3876 to outside:172.24.16.7/ssh for user "acergy"

111008: User 'enable_15' executed the 'debug icmp trace' command.

106100: access-list acl_outside permitted icmp outside/172.24.16.5(0) -> inside/172.24.16.8(8) hit-cnt 1 (first hit)


Also doing sh Xlate i see

---------------------------


1 in use, 1 most used

Global 172.24.16.8 Local 10.10.10.175


The full configuration is below. Can you please tell me why ping does not work?

-------------------------------------------------------------------------------




Attachment: 
Correct Answer by Jon Marshall about 10 years 1 month ago

Hi


Amendment to previous post.


Use spare IP address 10.10.10.182.


Don't use NAT and global statements, so remove the existing one you setup for this.


Add


static (outside,inside) 10.10.10.182 172.16.24.5 netmask 255.255.255.255


Apologies for this


HTH


Jon

Correct Answer by Jon Marshall about 10 years 1 month ago

Hi


Yes if you initiate the connection from the device it probably won't work.


What you could do that may work is. Instead of natting the router IP 172.24.16.5 to the inside pix interface you could NAT it to spare 10.10.10.x address. This address needs to be in the same subnet as your .175 server.


So say 10.10.10.182 is spare.


nat (outside) 1 172.24.16.5 255.255.255.255 outside

global (inside) 1 10.10.10.182


If the address is in the same subnet as the pix internal interface then the pix should respond to the arp from your .175 server.

So from the .175 server you need to ping 10.10.10.182.


It might not work but it would be worth a try.


HTH


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
ecouto Thu, 04/26/2007 - 03:12
User Badges:

silly question: the host 10.10.10.175 has the a route back to the pix for the network 172.24.16.0/24 or default gateway?


Cheers,


Emilio

acergygroup Thu, 04/26/2007 - 03:33
User Badges:

Not silly at all. The divice is display that controls a big crane. Route probably cannot be configured on it. I'm trying a proper PC on the same network this afertnooon. Also i thing that the IP setting on the display are IP 10.10.10.175 255.255.255.0 and no default gateway

mark.j.hodge Thu, 04/26/2007 - 03:25
User Badges:
  • Bronze, 100 points or more

In order for you to initiate traffic from the outside, you either need a static mapping from an outside address to an inside address. Or to exempt the traffic from translation using a "nat 0" command.


ecouto Thu, 04/26/2007 - 03:27
User Badges:

If you look the config file (Pix Problem.txt), he have an static already for this.


static (inside,outside) 172.24.16.8 10.10.10.175 netmask 255.255.255.255 0 0


Emilio

Jon Marshall Thu, 04/26/2007 - 04:55
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


As already suggested it does look like it could be a routing issue.


If the pix can ping the server on it's 10.10.10.175 address one thing you could do is translate the 172.24.16.5 address to the IP address of the internal interface of the pix ie


nat (outside) 1 172.24.16.5 255.255.255.255 outside


global (inside) 1 interface


One caveat is that its clear on your full topology so this might mess other things up.


HTH


Jon



acergygroup Thu, 04/26/2007 - 05:44
User Badges:

Thanks that sort the issue. Can you please just clarify that it might not be working the other way because of the lack of defult gateway configuration on the server .175 . This is because its not a server it's a special device that controlls a huge Crane


Correct Answer
Jon Marshall Thu, 04/26/2007 - 06:01
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Yes if you initiate the connection from the device it probably won't work.


What you could do that may work is. Instead of natting the router IP 172.24.16.5 to the inside pix interface you could NAT it to spare 10.10.10.x address. This address needs to be in the same subnet as your .175 server.


So say 10.10.10.182 is spare.


nat (outside) 1 172.24.16.5 255.255.255.255 outside

global (inside) 1 10.10.10.182


If the address is in the same subnet as the pix internal interface then the pix should respond to the arp from your .175 server.

So from the .175 server you need to ping 10.10.10.182.


It might not work but it would be worth a try.


HTH


Jon

Correct Answer
Jon Marshall Thu, 04/26/2007 - 06:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Amendment to previous post.


Use spare IP address 10.10.10.182.


Don't use NAT and global statements, so remove the existing one you setup for this.


Add


static (outside,inside) 10.10.10.182 172.16.24.5 netmask 255.255.255.255


Apologies for this


HTH


Jon

ecouto Thu, 04/26/2007 - 06:17
User Badges:

Hey Jon, Can you do statics like that in version 6.3(4)?


Emilio

Jon Marshall Thu, 04/26/2007 - 06:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Emilio


I have a pix 515E running 6.3(3) and i have a lot of these type of static commands on then so i can't see why 6.3(4) wouldn't work.


HTH


Jon

ecouto Thu, 04/26/2007 - 06:34
User Badges:

Just asking because version 6.3 and version 7 change the way of you can create statics and NATs. If you have in use must work then.


Emilio

Actions

This Discussion