Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

nat 0 and access-list

Hi,

I have problem to configure PIX to permit

connection from higher to lower security.

I use command nat 0 and access-list 101 permit

statement and

applied the access-list to the interface with

"access-group 101 in interface inside".

But even a ping to the outside server which defined

in the access-list doesn`t replied back (the

server has a default-gateway to PIX outside intf).

With a debug icmp trace, I can see that the

echo-request going through PIX, but I can`t see

echo-reply back to the PIX! I wonder if the PIX silently drop the echo-reply ???

Searching on the Bug Navigator doesn`t hit any bugs regarding this problem.

Some reading on a Cisco mailing-list reveals that the NAT 0 command is not so stable (nat 0 works for a while and it dies). Is this true ? Anyone experience problem with nat 0 command on 5.x series ?

Appreciate for any help.

Regards.

4 REPLIES
New Member

Re: nat 0 and access-list

ICMP packets are dropped from outside to inside interfaces. You should use an access-list on the outside interface to permit ICMP reply into the inside.

New Member

Re: nat 0 and access-list

Thanks mazhar,

Thats help me. Should create another access-list on the outside intf to permit the icmp-reply back to the sender!

I was thinking since the PIX already knew the source and destination for ICMP-request, it should permit the ICMP-reply back from destination to the sender.

Why PIX treats icmp-request and icmp-reply as different sessions ?

New Member

Re: nat 0 and access-list

Because they are completely different packets. ICMP is stateless!

New Member

Re: nat 0 and access-list

However, ICMP echo reply packets do contain enough information to indicate that they are infact replies to valid requests, and not false replies.

This can be achieved using the Identifier and Sequence number fields sent in the echo request packet, that should be returned in the echo reply message.

If firewalling devices checked this, then tools like loki (and its many variants) would have more difficulty running.

184
Views
0
Helpful
4
Replies
CreatePlease login to create content