Deny Inbound Message

Unanswered Question
Jun 4th, 2007
User Badges:

I am having an issue with trying to get a ping through a PIX515 with OS6.2(4). The message I keep getting, and I am unsure as to why, is as follows:

106011: Deny inbound (No xlate) icmp src ACCNT:ACCA2-BK_Fas00 dst ACCNT:ACCAS1_Tunnel3 (type 8, code 0)

The config is attached. I would be grateful if someone could assist please.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

By default the PIX does not allow inbound ICMP packets. ICMP is somewhat stateless and thus Ping will not work outbound unless you explicitly allow certain packets in through the access-list. I.e.

access-list inside_access_in permit icmp any any unreachable

access-list inside_access_in permit icmp any any echo-reply

access-list inside_access_in permit icmp any any time-exceeded

access-list inside_access_in permit icmp any any traceroute

tbogie_gvds Wed, 06/06/2007 - 23:51
User Badges:

Wouldn't these statements do roughly the same thing?


name ACCAS1_Tunnel3

name ACCA2-BK_Fas00

pdm location ACCA2-BK_Fas00 inside


object-group network GRE_Tunnel_INSIDE

network-object ACCA2-BK_Fas00


object-group icmp-type Management_PING

icmp-object unreachable

icmp-object time-exceeded

icmp-object echo-reply

icmp-object source-quench


access-list inside_access_in permit icmp object-group GRE_Tunnel_INSIDE host ACCAS1_Tunnel3 echo


access-list ACCNT_access_in permit icmp host ACCAS1_Tunnel3 object-group GRE_Tunnel_INSIDE object-group Management_PING


static (inside,ACCNT) ACCA2-BK_Fas00 ACCA2-BK_Fas00 netmask 0 0


access-group inside_access_in in interface inside

access-group ACCNT_access_in in interface ACCNT


route inside ACCANSBK_Untrust

route ACCNT ACCAS1_Tunnel3 ACCA3_FastEth00 1



This Discussion