We also have an acl for allowing ICMP from particular outside address ranges
access-list acl_outside permit icmp 18.104.22.168 255.255.255.240 any
access-list acl_outside permit icmp 22.214.171.124 255.255.255.240 any .
We also have a static route on the inside
route inside 10.0.0.0 255.0.0.0 10.17.103.253 1
I am using inside nat only.
Now, here's the problem.
If I do a basic ping 10.17.100.1, which is not in the allowable static list, from the outside , I do not get through. This is to be expected as I am using the outside i/f of the outside router as a source address - 126.96.36.199 and the acl on the outside pIX i/f stops it.
However, If I use an allowable src address via an extended pin 188.8.131.52. it succeeds. I can see ICMP traces thorugh the f/w, but no xlates.
Why does this happen?
As a hole has been drilled through the firewall, and no stateful connection is used, has the inside network been compromised ?
As there is no static NAT for the IP 10.17.100.1, one of the possibility could be the NAT 0, since there is a route on the PIX for that subnet. Pl. check if you have NAT 0 configured on the PIX for the subnet containing IP 10.17.100.1. But I don't think this is an issue.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...