Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Deny Inbound Message

I am having an issue with trying to get a ping through a PIX515 with OS6.2(4). The message I keep getting, and I am unsure as to why, is as follows:

106011: Deny inbound (No xlate) icmp src ACCNT:ACCA2-BK_Fas00 dst ACCNT:ACCAS1_Tunnel3 (type 8, code 0)

The config is attached. I would be grateful if someone could assist please.



New Member

Re: Deny Inbound Message

By default the PIX does not allow inbound ICMP packets. ICMP is somewhat stateless and thus Ping will not work outbound unless you explicitly allow certain packets in through the access-list. I.e.

access-list inside_access_in permit icmp any any unreachable

access-list inside_access_in permit icmp any any echo-reply

access-list inside_access_in permit icmp any any time-exceeded

access-list inside_access_in permit icmp any any traceroute

New Member

Re: Deny Inbound Message

Wouldn't these statements do roughly the same thing?


name ACCAS1_Tunnel3

name ACCA2-BK_Fas00

pdm location ACCA2-BK_Fas00 inside


object-group network GRE_Tunnel_INSIDE

network-object ACCA2-BK_Fas00


object-group icmp-type Management_PING

icmp-object unreachable

icmp-object time-exceeded

icmp-object echo-reply

icmp-object source-quench


access-list inside_access_in permit icmp object-group GRE_Tunnel_INSIDE host ACCAS1_Tunnel3 echo


access-list ACCNT_access_in permit icmp host ACCAS1_Tunnel3 object-group GRE_Tunnel_INSIDE object-group Management_PING


static (inside,ACCNT) ACCA2-BK_Fas00 ACCA2-BK_Fas00 netmask 0 0


access-group inside_access_in in interface inside

access-group ACCNT_access_in in interface ACCNT


route inside ACCANSBK_Untrust

route ACCNT ACCAS1_Tunnel3 ACCA3_FastEth00 1


CreatePlease login to create content