PIX515, TCP static mapping but no ICMP?

hws_admin · ‎06-27-2007

I've a PIX-515 firewall, running 7.2.2, in front of a private network. Servers in the private network are statically mapped to the external interface like this:

static (inside,outside) tcp host-outside www host-inside 8080 netmask 255.255.255.255

The problem is, now ICMP is not translated anymore. If I try to ping host-outside from the Internet, the firewall says "Deny inbound icmp src outside" even though ICMP is allowed by the ACL to all destinations on the outside interface.

I tried to add something like this:

static (inside,outside) host-outside host-inside netmask .......

But then the firewall tells me there's a conflict between this more general mapping, and the existing more specific mapping.

How can I keep the TCP 80 -> 8080 mapping but also translate inbound ICMP requests?

acomiskey · ‎06-27-2007

You would have to remove all port translations and add a 1 to 1 static. That may or may not work for you as you may have other inside servers using this outside address.

no static (inside,outside) tcp host-outside www host-inside 8080 netmask 255.255.255.255

static (inside,outside) host-outside host-inside netmask .......

hws_admin · ‎06-27-2007

That won't work, because port 8080 on the actual server needs to be translated as port 80 on the external address.

There are multiple servers in that environment, all of them accessible from the outside over port 80, which is translated by the firewall as port 8080 on the actual machines.

Each server has its own public address on the outside.

acomiskey · ‎06-27-2007

Which is why I said "That may or may not work for you as you may have other inside servers using this outside address."