NAT'ing Kills ICMP Traffic

KSVY_KSVY_2 · ‎06-28-2010

packet-tracer shows ping traffic being dropped at NAT phase 7 and Result states "Drop-reason: (acl-drop) Flow is denied by configured rule"

firewall has simple configuration:

access-list Inside_access_in permit tcp object "source" object-group "destination" object-group "service-ports"

access-list Inside_access_in permit icmp object "source" object-group "destination"

icmp permit "source/-inside LAN" Inside

object network "source object-group network"

nat (any,destination) dynamic interface

access-group Inside_access_in in interface Inside

route "destination and mask" "gateway IP"

there are no ACLs being used on the outside interface, no assigned access-group

packet-tracer shows all other port of traffic (in service-port object-group) being permitted through firewall's NAT policy. only icmp is being dropped.

any suggestions would be appreicated.

thanks,

Diego Armando Cambronero Arias · ‎06-28-2010

Do you have the inspeccion for icmp ON??

Go ahead and inspect icmp traffi. Post the config as well it will make easier to find the issue.

KSVY_KSVY_2 · ‎06-28-2010

yeap, "inspect icmp" is in global_policy

thanks,

Diego Armando Cambronero Arias · ‎06-28-2010

I'm seeing in ur config that u do not have a global statement for the nat

try this to nat your inside LAN to the ip address on your US_X Interface

nat (inside) 1 0.0.0.0

gloabal (US_x) 1 interface

also to know that is happeing let take a capture.

access-list capture permit icmp any any

capture capin access-list capture inteface inside

capture capout access-list capture inteface US_X

try to ping the IP address 8.8.8.8 in the internet and then send me the show cap capin and the show cap capout

Diego Armando Cambronero Arias · ‎06-28-2010

Sorry I didn't notice that you are using version 8.3 your config is right.. go ahead and take the capture ONLY

KSVY_KSVY_2 · ‎06-28-2010

yeap, that's what I am suggesting, a basic static global NAT policy... but currently waiting for management to approve. I will follow up with you.

thanks,

Diego Armando Cambronero Arias · ‎06-28-2010

I do not see this in ur config

object network obj-10.100.x.150

subnet 10.100.x.150 255.255.255.0

nat (inside,US_X) dynamic interface

you have this

object network x-NET

nat (any,US_x) dynamic interface

you are not specifying the network to nat

KSVY_KSVY_2 · ‎06-28-2010

the

object network obj-10.100.x.150

and

subnet 10.100.x.150 255.255.255.0

are the asa's inside interface: ip address 10.100.254.150 255.255.255.0 standby 10.100.254.151

the

nat (inside,US_x) dynamic interface

i guess, is being assigned as

nat (any, US_x) dynamic interface

packet-tracer show all other traffic being permitted, which shows:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

object network x-NET

nat (any, US_x) dynamic interface

Additional Information:

Dynamic translate 10.100.10.42/1433 to 65.x.121.125/54546

the source network is object-group x-NET which is 10.100.0.0 255.255.0.0

thanks,