Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Deny Inbound Message

I am having an issue with trying to get a ping through a PIX515 with OS6.2(4). The message I keep getting, and I am unsure as to why, is as follows:

106011: Deny inbound (No xlate) icmp src ACCNT:ACCA2-BK_Fas00 dst ACCNT:ACCAS1_Tunnel3 (type 8, code 0)

The config is attached. I would be grateful if someone could assist please.

Thanks,

Timothy

2 REPLIES
New Member

Re: Deny Inbound Message

By default the PIX does not allow inbound ICMP packets. ICMP is somewhat stateless and thus Ping will not work outbound unless you explicitly allow certain packets in through the access-list. I.e.

access-list inside_access_in permit icmp any any unreachable

access-list inside_access_in permit icmp any any echo-reply

access-list inside_access_in permit icmp any any time-exceeded

access-list inside_access_in permit icmp any any traceroute

New Member

Re: Deny Inbound Message

Wouldn't these statements do roughly the same thing?

!

name 172.16.4.138 ACCAS1_Tunnel3

name 172.16.4.6 ACCA2-BK_Fas00

pdm location ACCA2-BK_Fas00 255.255.255.255 inside

!

object-group network GRE_Tunnel_INSIDE

network-object ACCA2-BK_Fas00 255.255.255.255

!

object-group icmp-type Management_PING

icmp-object unreachable

icmp-object time-exceeded

icmp-object echo-reply

icmp-object source-quench

!

access-list inside_access_in permit icmp object-group GRE_Tunnel_INSIDE host ACCAS1_Tunnel3 echo

!

access-list ACCNT_access_in permit icmp host ACCAS1_Tunnel3 object-group GRE_Tunnel_INSIDE object-group Management_PING

!

static (inside,ACCNT) ACCA2-BK_Fas00 ACCA2-BK_Fas00 netmask 255.255.255.255 0 0

!

access-group inside_access_in in interface inside

access-group ACCNT_access_in in interface ACCNT

!

route inside 172.16.4.4 255.255.255.252 ACCANSBK_Untrust

route ACCNT ACCAS1_Tunnel3 255.255.255.255 ACCA3_FastEth00 1

!

138
Views
0
Helpful
2
Replies
CreatePlease login to create content