Deny Inbound Message

tbogie_gvds · ‎06-04-2007

I am having an issue with trying to get a ping through a PIX515 with OS6.2(4). The message I keep getting, and I am unsure as to why, is as follows:

106011: Deny inbound (No xlate) icmp src ACCNT:ACCA2-BK_Fas00 dst ACCNT:ACCAS1_Tunnel3 (type 8, code 0)

The config is attached. I would be grateful if someone could assist please.

Thanks,

Timothy

cmcbride · ‎06-05-2007

By default the PIX does not allow inbound ICMP packets. ICMP is somewhat stateless and thus Ping will not work outbound unless you explicitly allow certain packets in through the access-list. I.e.

access-list inside_access_in permit icmp any any unreachable

access-list inside_access_in permit icmp any any echo-reply

access-list inside_access_in permit icmp any any time-exceeded

access-list inside_access_in permit icmp any any traceroute

tbogie_gvds · ‎06-06-2007

Wouldn't these statements do roughly the same thing?

!

name 172.16.4.138 ACCAS1_Tunnel3

name 172.16.4.6 ACCA2-BK_Fas00

pdm location ACCA2-BK_Fas00 255.255.255.255 inside

!

object-group network GRE_Tunnel_INSIDE

network-object ACCA2-BK_Fas00 255.255.255.255

!

object-group icmp-type Management_PING

icmp-object unreachable

icmp-object time-exceeded

icmp-object echo-reply

icmp-object source-quench

!

access-list inside_access_in permit icmp object-group GRE_Tunnel_INSIDE host ACCAS1_Tunnel3 echo

!

access-list ACCNT_access_in permit icmp host ACCAS1_Tunnel3 object-group GRE_Tunnel_INSIDE object-group Management_PING

!

static (inside,ACCNT) ACCA2-BK_Fas00 ACCA2-BK_Fas00 netmask 255.255.255.255 0 0

!

access-group inside_access_in in interface inside

access-group ACCNT_access_in in interface ACCNT

!

route inside 172.16.4.4 255.255.255.252 ACCANSBK_Untrust

route ACCNT ACCAS1_Tunnel3 255.255.255.255 ACCA3_FastEth00 1

!