Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
466
Views
5
Helpful
3
Replies

ICMP reply doesn't pass through in PAT mode

aruzsinszky
Level 1
Level 1

‎08-15-2008 11:01 AM - edited ‎03-11-2019 06:31 AM

Hi,

PIX 501, v.6.3.5

I'd like pinging a host (10.1.104.21) from host tartalek in PAT mode.

The ping request reaches the destination host and it replies. PIX can see it but host tartalek doesn't get the reply.

(My original task will be PATting a TCP port to the destination host. And only one port from the stc to the dst.)

Maybe the relevant commands:

access-list acl_out remark Default szabaly - Inetrol a tartalek SSH portjara

access-list acl_out permit tcp KOFE_VPN_Inetrol 255.255.255.240 interface outside eq ssh log

access-list acl_in permit icmp host tartalek KOFE_VPN_Inetrol 255.255.255.240

access-list outside_accounting_TACACS+ remark Log a bejovo kapcsolathoz

access-list outside_accounting_TACACS+ permit tcp KOFE_VPN_Inetrol 255.255.255.240 interface outside eq ssh

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 JBF_Intranet 255.255.255.0

access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 JBF_Intranet 255.255.255.0

+ access-list in_out_01 permit icmp host tartalek host 10.1.104.21

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface ssh tartalek ssh netmask 255.255.255.255 0 0

static (outside,inside) KOFE_k16_Rattila KOFE_VPN_Rattila netmask 255.255.255.255 0 0

...

(user IP defs like above)

...

access-group acl_out in interface outside

access-group in_out_01 in interface inside

What is the problem? How can I debug further?

TIA,

Ruzsi

Labels:
0 Helpful
3 Replies 3

acomiskey
Level 10
Level 10

‎08-15-2008 11:17 AM

You need to allow the reply in your acl.

access-list acl_out permit icmp any any echo-reply

aruzsinszky
Level 1
Level 1
In response to acomiskey

‎08-15-2008 11:36 AM

Yes!!!

Will I meet any probem when I'll putting in the TCP command?

TIA,

Ruzsi

0 Helpful

Davy Ad
Level 1
Level 1
In response to aruzsinszky

‎11-05-2008 03:28 AM

No if you know the port number for ICMP

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card