Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
675
Views
0
Helpful
4
Replies

nat 0 and access-list

engel
Level 2
Level 2

‎10-14-2001 06:16 AM - edited ‎02-20-2020 09:16 PM

Hi,

I have problem to configure PIX to permit

connection from higher to lower security.

I use command nat 0 and access-list 101 permit

statement and

applied the access-list to the interface with

"access-group 101 in interface inside".

But even a ping to the outside server which defined

in the access-list doesn`t replied back (the

server has a default-gateway to PIX outside intf).

With a debug icmp trace, I can see that the

echo-request going through PIX, but I can`t see

echo-reply back to the PIX! I wonder if the PIX silently drop the echo-reply ???

Searching on the Bug Navigator doesn`t hit any bugs regarding this problem.

Some reading on a Cisco mailing-list reveals that the NAT 0 command is not so stable (nat 0 works for a while and it dies). Is this true ? Anyone experience problem with nat 0 command on 5.x series ?

Appreciate for any help.

Regards.

Labels:
0 Helpful
4 Replies 4

mazhar71
Level 1
Level 1

‎10-15-2001 03:57 AM

ICMP packets are dropped from outside to inside interfaces. You should use an access-list on the outside interface to permit ICMP reply into the inside.

0 Helpful

engel
Level 2
Level 2
In response to mazhar71

‎10-15-2001 06:36 AM

Thanks mazhar,

Thats help me. Should create another access-list on the outside intf to permit the icmp-reply back to the sender!

I was thinking since the PIX already knew the source and destination for ICMP-request, it should permit the ICMP-reply back from destination to the sender.

Why PIX treats icmp-request and icmp-reply as different sessions ?

0 Helpful

rrbleeker
Level 1
Level 1
In response to engel

‎10-15-2001 02:31 PM

Because they are completely different packets. ICMP is stateless!

0 Helpful

gbbromley
Level 1
Level 1
In response to rrbleeker

‎10-16-2001 04:24 AM

However, ICMP echo reply packets do contain enough information to indicate that they are infact replies to valid requests, and not false replies.

This can be achieved using the Identifier and Sequence number fields sent in the echo request packet, that should be returned in the echo reply message.

If firewalling devices checked this, then tools like loki (and its many variants) would have more difficulty running.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents