Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ICMP reply doesn't pass through in PAT mode

Hi,

PIX 501, v.6.3.5

I'd like pinging a host (10.1.104.21) from host tartalek in PAT mode.

The ping request reaches the destination host and it replies. PIX can see it but host tartalek doesn't get the reply.

(My original task will be PATting a TCP port to the destination host. And only one port from the stc to the dst.)

Maybe the relevant commands:

access-list acl_out remark Default szabaly - Inetrol a tartalek SSH portjara

access-list acl_out permit tcp KOFE_VPN_Inetrol 255.255.255.240 interface outside eq ssh log

access-list acl_in permit icmp host tartalek KOFE_VPN_Inetrol 255.255.255.240

access-list outside_accounting_TACACS+ remark Log a bejovo kapcsolathoz

access-list outside_accounting_TACACS+ permit tcp KOFE_VPN_Inetrol 255.255.255.240 interface outside eq ssh

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 JBF_Intranet 255.255.255.0

access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 JBF_Intranet 255.255.255.0

+ access-list in_out_01 permit icmp host tartalek host 10.1.104.21

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface ssh tartalek ssh netmask 255.255.255.255 0 0

static (outside,inside) KOFE_k16_Rattila KOFE_VPN_Rattila netmask 255.255.255.255 0 0

...

(user IP defs like above)

...

access-group acl_out in interface outside

access-group in_out_01 in interface inside

What is the problem? How can I debug further?

TIA,

Ruzsi

3 REPLIES
Green

Re: ICMP reply doesn't pass through in PAT mode

You need to allow the reply in your acl.

access-list acl_out permit icmp any any echo-reply

Community Member

Re: ICMP reply doesn't pass through in PAT mode

Yes!!!

Will I meet any probem when I'll putting in the TCP command?

TIA,

Ruzsi

Community Member

Re: ICMP reply doesn't pass through in PAT mode

No if you know the port number for ICMP

156
Views
5
Helpful
3
Replies
CreatePlease to create content