08-15-2008 11:01 AM - edited 03-11-2019 06:31 AM
Hi,
PIX 501, v.6.3.5
I'd like pinging a host (10.1.104.21) from host tartalek in PAT mode.
The ping request reaches the destination host and it replies. PIX can see it but host tartalek doesn't get the reply.
(My original task will be PATting a TCP port to the destination host. And only one port from the stc to the dst.)
Maybe the relevant commands:
access-list acl_out remark Default szabaly - Inetrol a tartalek SSH portjara
access-list acl_out permit tcp KOFE_VPN_Inetrol 255.255.255.240 interface outside eq ssh log
access-list acl_in permit icmp host tartalek KOFE_VPN_Inetrol 255.255.255.240
access-list outside_accounting_TACACS+ remark Log a bejovo kapcsolathoz
access-list outside_accounting_TACACS+ permit tcp KOFE_VPN_Inetrol 255.255.255.240 interface outside eq ssh
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 JBF_Intranet 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 JBF_Intranet 255.255.255.0
+ access-list in_out_01 permit icmp host tartalek host 10.1.104.21
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ssh tartalek ssh netmask 255.255.255.255 0 0
static (outside,inside) KOFE_k16_Rattila KOFE_VPN_Rattila netmask 255.255.255.255 0 0
...
(user IP defs like above)
...
access-group acl_out in interface outside
access-group in_out_01 in interface inside
What is the problem? How can I debug further?
TIA,
Ruzsi
08-15-2008 11:17 AM
You need to allow the reply in your acl.
access-list acl_out permit icmp any any echo-reply
08-15-2008 11:36 AM
Yes!!!
Will I meet any probem when I'll putting in the TCP command?
TIA,
Ruzsi
11-05-2008 03:28 AM
No if you know the port number for ICMP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide