Unanswered Question
Apr 14th, 2009

Hi, I have Natted Inside traffic on Pix. I have opened ACL- NTP traffic from Inside n/w to permit reacg Outside NTP Servers. My question is, Should I open the Returned NTP traffic too (From Outside) OR no need to open reverse traffic in NAT/PAT.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sdoremus33 Tue, 04/14/2009 - 22:06

If its no trouble could you post additional config info pertaining to the ASA


NAT control commands

static translations, and so on... Thanks

Rupesh Kashyap Tue, 04/14/2009 - 22:20

global (outside) 12 netmask

nat (inside) 12

access-group from_inside in interface inside

Access-list from_inside permit udp10.0.0.0 any eq 123

My Question is, You can see the ACL on inside interface. There is no any acl on Outside interface. Should I open the same returning port on OUtside interface also or no ACL is required for returning traffic with NAT ???

thotsaphon Tue, 04/14/2009 - 23:06


That's fine. No need to allow return traffic back to the public ip address. As long as internal hosts who originate ntp (request)packets first. That's why it's called state-full.



Rupesh Kashyap Thu, 04/16/2009 - 01:28

Hi, I tested 3 routers (A->B->C). It is not working--

1. I applied NAT (Overload) on router B.

2. I initiated Ping from A to C & I am able to.

3. Now I have applied ACL on Outside interface on B to deny all traffic from outside on B.

4. After Step 3, I am not getting Ping reply on A.

My question is, why replied ICMP on B is blocked with ACL. It should bypass, as From inside, it is allowed.

thotsaphon Thu, 04/16/2009 - 01:38


Good question.ICMP is stateless protocol.

You need to allow "echo-reply" on ACL from outside to inside on B.


Rupesh Kashyap Thu, 04/16/2009 - 01:41

Sounds good. I would do it. Beside this, I would initiate TCP Telnet command from A for C & would update you, if returned traffic would not blocked by Outside ACL.

I will post u on tomorrow.


This Discussion