Cisco 501 pix giving ICMP errors from the public ip Address

Unanswered Question
Sep 27th, 2009
User Badges:

I have a Konica Minolta copier on a VPN that uses a Cisco 501 pix for the tunnel and a windstream 4200 speedstream modem to get to the outside world. it does not matter if I try to access the web interface of the copier or scan to email the operation times out. I can access the web interface from the local subnet but not from a outside subnet on the VPN. The copier IP address is on the private tunnel. I ran a wireshark capture and found that I am getting IMCP destination unreachable Fragmentation needed errors. We know that the copier starts to send data to the mail server and then hangs up when the copier starts to send the scan data. The ICMP errors are coming from the Public IP address of the PIX and not through the private tunnel. My theory is that since the ICMP errors are coming from the public IP address and not through the Private tunnel, the copier never sees them and it just keeps trying to send the same over size packets over and over until it times out. Does anyone know how to correct this so the copier can receive these packets from the private tunnel so it can resend smaller packets upon request.

The MTU packet size on the copier cannot be changed. I have attached a screen shot of the packet error.

ip addresses

copier is 10..3.34.20,   255.255.255,    10,3.34.1

mail server

PIX public address is

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cindy toy Mon, 09/28/2009 - 12:30
User Badges:
  • Gold, 750 points or more

Hi Rloos876,

Thank you for your question.  This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product.  Please post your question in the Cisco NetPro forums located here: This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.


Cindy Toy

Cisco Small Business Support

Community Manager


This Discussion