Deny Inbound Message

Unanswered Question
Jun 4th, 2007
User Badges:

I am having an issue with trying to get a ping through a PIX515 with OS6.2(4). The message I keep getting, and I am unsure as to why, is as follows:


106011: Deny inbound (No xlate) icmp src ACCNT:ACCA2-BK_Fas00 dst ACCNT:ACCAS1_Tunnel3 (type 8, code 0)


The config is attached. I would be grateful if someone could assist please.


Thanks,


Timothy






Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

By default the PIX does not allow inbound ICMP packets. ICMP is somewhat stateless and thus Ping will not work outbound unless you explicitly allow certain packets in through the access-list. I.e.


access-list inside_access_in permit icmp any any unreachable

access-list inside_access_in permit icmp any any echo-reply

access-list inside_access_in permit icmp any any time-exceeded

access-list inside_access_in permit icmp any any traceroute


tbogie_gvds Wed, 06/06/2007 - 23:51
User Badges:

Wouldn't these statements do roughly the same thing?



!

name 172.16.4.138 ACCAS1_Tunnel3

name 172.16.4.6 ACCA2-BK_Fas00

pdm location ACCA2-BK_Fas00 255.255.255.255 inside

!

object-group network GRE_Tunnel_INSIDE

network-object ACCA2-BK_Fas00 255.255.255.255

!

object-group icmp-type Management_PING

icmp-object unreachable

icmp-object time-exceeded

icmp-object echo-reply

icmp-object source-quench

!

access-list inside_access_in permit icmp object-group GRE_Tunnel_INSIDE host ACCAS1_Tunnel3 echo

!

access-list ACCNT_access_in permit icmp host ACCAS1_Tunnel3 object-group GRE_Tunnel_INSIDE object-group Management_PING

!

static (inside,ACCNT) ACCA2-BK_Fas00 ACCA2-BK_Fas00 netmask 255.255.255.255 0 0

!

access-group inside_access_in in interface inside

access-group ACCNT_access_in in interface ACCNT

!

route inside 172.16.4.4 255.255.255.252 ACCANSBK_Untrust

route ACCNT ACCAS1_Tunnel3 255.255.255.255 ACCA3_FastEth00 1

!



Actions

This Discussion