Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX515, TCP static mapping but no ICMP?

I've a PIX-515 firewall, running 7.2.2, in front of a private network. Servers in the private network are statically mapped to the external interface like this:

static (inside,outside) tcp host-outside www host-inside 8080 netmask 255.255.255.255

The problem is, now ICMP is not translated anymore. If I try to ping host-outside from the Internet, the firewall says "Deny inbound icmp src outside" even though ICMP is allowed by the ACL to all destinations on the outside interface.

I tried to add something like this:

static (inside,outside) host-outside host-inside netmask .......

But then the firewall tells me there's a conflict between this more general mapping, and the existing more specific mapping.

How can I keep the TCP 80 -> 8080 mapping but also translate inbound ICMP requests?

3 REPLIES
Green

Re: PIX515, TCP static mapping but no ICMP?

You would have to remove all port translations and add a 1 to 1 static. That may or may not work for you as you may have other inside servers using this outside address.

no static (inside,outside) tcp host-outside www host-inside 8080 netmask 255.255.255.255

static (inside,outside) host-outside host-inside netmask .......

Community Member

Re: PIX515, TCP static mapping but no ICMP?

That won't work, because port 8080 on the actual server needs to be translated as port 80 on the external address.

There are multiple servers in that environment, all of them accessible from the outside over port 80, which is translated by the firewall as port 8080 on the actual machines.

Each server has its own public address on the outside.

Green

Re: PIX515, TCP static mapping but no ICMP?

Which is why I said "That may or may not work for you as you may have other inside servers using this outside address."

129
Views
0
Helpful
3
Replies
CreatePlease to create content