ICMP reply doesn't pass through in PAT mode

Unanswered Question
Aug 15th, 2008


PIX 501, v.6.3.5

I'd like pinging a host ( from host tartalek in PAT mode.

The ping request reaches the destination host and it replies. PIX can see it but host tartalek doesn't get the reply.

(My original task will be PATting a TCP port to the destination host. And only one port from the stc to the dst.)

Maybe the relevant commands:

access-list acl_out remark Default szabaly - Inetrol a tartalek SSH portjara

access-list acl_out permit tcp KOFE_VPN_Inetrol interface outside eq ssh log

access-list acl_in permit icmp host tartalek KOFE_VPN_Inetrol

access-list outside_accounting_TACACS+ remark Log a bejovo kapcsolathoz

access-list outside_accounting_TACACS+ permit tcp KOFE_VPN_Inetrol interface outside eq ssh

access-list inside_outbound_nat0_acl permit ip JBF_Intranet

access-list outside_cryptomap_20 permit ip JBF_Intranet

+ access-list in_out_01 permit icmp host tartalek host

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0 0

static (inside,outside) tcp interface ssh tartalek ssh netmask 0 0

static (outside,inside) KOFE_k16_Rattila KOFE_VPN_Rattila netmask 0 0


(user IP defs like above)


access-group acl_out in interface outside

access-group in_out_01 in interface inside

What is the problem? How can I debug further?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
acomiskey Fri, 08/15/2008 - 11:17

You need to allow the reply in your acl.

access-list acl_out permit icmp any any echo-reply

aruzsinszky Fri, 08/15/2008 - 11:36


Will I meet any probem when I'll putting in the TCP command?




This Discussion