Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ICMP from the outside

I am running a 515E firewall using S/W 6.2(1)

We are managing a network on the inside of the F/W that is

On the outside we have a number of statics -

static (inside,outside) tcp ssh ssh netmask 0 0

static (inside,outside) netmask 0 0

static (inside,outside) netmask 0 0

static (inside,outside) netmask 0 0

static (inside,outside) netmask 0 0

We also have an acl for allowing ICMP from particular outside address ranges

access-list acl_outside permit icmp any

access-list acl_outside permit icmp any .

We also have a static route on the inside

route inside 1

I am using inside nat only.

Now, here's the problem.

If I do a basic ping, which is not in the allowable static list, from the outside , I do not get through. This is to be expected as I am using the outside i/f of the outside router as a source address - and the acl on the outside pIX i/f stops it.

However, If I use an allowable src address via an extended pin it succeeds. I can see ICMP traces thorugh the f/w, but no xlates.

Why does this happen?

As a hole has been drilled through the firewall, and no stateful connection is used, has the inside network been compromised ?

New Member

Re: ICMP from the outside

As there is no static NAT for the IP, one of the possibility could be the NAT 0, since there is a route on the PIX for that subnet. Pl. check if you have NAT 0 configured on the PIX for the subnet containing IP But I don't think this is an issue.


New Member