Deny inbound (no xlate)

gdspa · ‎05-06-2008

I have a problem with a fwsm on a 6509. I am on vlan1 and I want to ping a pc on vlan2. I find this error :

Deny inbound (No xlate) icmp src Vlan2:x.x.x.x dst Vlan2:y.y.y.y (type 8, code 0)

If I ping another pc on the vlan2 I don't have any problem. I know this error occurs because fwsm doesn't permit traffic when src and dst are on the same vlan. My question is: why does firewall see my pc on vlan2 even if my pc is on vlan1?

There is a NAT exemption rule from vlan1 to vlan2.

Thanks!

aghaznavi · ‎05-12-2008

I think type 8 code 0 are caused by the nachi worm.

Better try this ACL in your device.

access-list acl-in deny tcp any any eq 4444

access-list acl-in deny tcp any any eq 135

access-list acl-in deny udp any any eq 135

access-list acl-in deny udp any any eq 69

access-list acl-in deny icmp any any

access-list acl-in permit ip any any

access-group acl-in in interface inside