06-04-2007 08:02 PM - edited 03-11-2019 03:24 AM
I am having an issue with trying to get a ping through a PIX515 with OS6.2(4). The message I keep getting, and I am unsure as to why, is as follows:
106011: Deny inbound (No xlate) icmp src ACCNT:ACCA2-BK_Fas00 dst ACCNT:ACCAS1_Tunnel3 (type 8, code 0)
The config is attached. I would be grateful if someone could assist please.
Thanks,
Timothy
06-05-2007 12:04 PM
By default the PIX does not allow inbound ICMP packets. ICMP is somewhat stateless and thus Ping will not work outbound unless you explicitly allow certain packets in through the access-list. I.e.
access-list inside_access_in permit icmp any any unreachable
access-list inside_access_in permit icmp any any echo-reply
access-list inside_access_in permit icmp any any time-exceeded
access-list inside_access_in permit icmp any any traceroute
06-06-2007 11:51 PM
Wouldn't these statements do roughly the same thing?
!
name 172.16.4.138 ACCAS1_Tunnel3
name 172.16.4.6 ACCA2-BK_Fas00
pdm location ACCA2-BK_Fas00 255.255.255.255 inside
!
object-group network GRE_Tunnel_INSIDE
network-object ACCA2-BK_Fas00 255.255.255.255
!
object-group icmp-type Management_PING
icmp-object unreachable
icmp-object time-exceeded
icmp-object echo-reply
icmp-object source-quench
!
access-list inside_access_in permit icmp object-group GRE_Tunnel_INSIDE host ACCAS1_Tunnel3 echo
!
access-list ACCNT_access_in permit icmp host ACCAS1_Tunnel3 object-group GRE_Tunnel_INSIDE object-group Management_PING
!
static (inside,ACCNT) ACCA2-BK_Fas00 ACCA2-BK_Fas00 netmask 255.255.255.255 0 0
!
access-group inside_access_in in interface inside
access-group ACCNT_access_in in interface ACCNT
!
route inside 172.16.4.4 255.255.255.252 ACCANSBK_Untrust
route ACCNT ACCAS1_Tunnel3 255.255.255.255 ACCA3_FastEth00 1
!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: