Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

NAT'ing Kills ICMP Traffic

packet-tracer shows ping traffic being dropped at NAT phase 7 and Result states "Drop-reason: (acl-drop) Flow is denied by configured rule"

firewall has simple configuration:

access-list Inside_access_in permit tcp object "source" object-group "destination" object-group "service-ports"

access-list Inside_access_in permit icmp object "source" object-group "destination"

icmp permit "source/-inside LAN" Inside

object network "source object-group network"

nat (any,destination) dynamic interface

access-group Inside_access_in in interface Inside

route "destination and mask" "gateway IP"

there are no ACLs being used on the outside interface, no assigned access-group

packet-tracer shows all other port of traffic (in service-port object-group) being permitted through firewall's NAT policy.  only icmp is being dropped.


any suggestions would be appreicated.

thanks,

7 REPLIES

Re: NAT'ing Kills ICMP Traffic

Do you have the inspeccion for icmp ON??

Go ahead and inspect icmp traffi. Post the config as well it will make easier to find the issue.

New Member

Re: NAT'ing Kills ICMP Traffic

yeap, "inspect icmp" is in global_policy

thanks,

Re: NAT'ing Kills ICMP Traffic

I'm seeing in ur config that u do not have a global statement for the nat

try this to nat your inside LAN to the ip address on your US_X  Interface

nat (inside) 1 0.0.0.0

gloabal (US_x) 1 interface

also to know that is happeing let take a capture.

access-list capture permit icmp any any

capture capin access-list capture inteface inside

capture capout access-list capture inteface US_X

try to ping the IP address 8.8.8.8 in the internet and then send me the show cap capin   and the show cap capout

Re: NAT'ing Kills ICMP Traffic

Sorry I didn't notice that you are using version 8.3  your config is right.. go ahead and take the capture ONLY

New Member

Re: NAT'ing Kills ICMP Traffic

yeap, that's what I am suggesting, a basic static global NAT policy... but currently waiting for management to approve.  I will follow up with you.

thanks,

Re: NAT'ing Kills ICMP Traffic

I do not see this in ur config

object network obj-10.100.x.150
subnet 10.100.x.150 255.255.255.0
nat (inside,US_X) dynamic interface

you have this

object network x-NET

nat (any,US_x) dynamic interface

you are not specifying the network to nat

New Member

Re: NAT'ing Kills ICMP Traffic

the

object network obj-10.100.x.150

and

subnet 10.100.x.150 255.255.255.0

are the asa's inside interface: ip address 10.100.254.150 255.255.255.0 standby 10.100.254.151

the

nat (inside,US_x) dynamic interface

i guess, is being assigned as

nat (any, US_x) dynamic interface

packet-tracer show all other traffic being permitted, which shows:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

object network x-NET

nat (any, US_x) dynamic interface

Additional Information:

Dynamic translate 10.100.10.42/1433 to 65.x.121.125/54546

the source network is object-group x-NET  which is 10.100.0.0 255.255.0.0

thanks,

263
Views
0
Helpful
7
Replies
CreatePlease to create content