Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT problem with PIX 515E

I have configured a PIX 515E, OS 7.0(1) f?r dynamic PAT from the inside network to the outside interface ip address of the PIX. I have also configured access lists allowing icmp from inside to outside and from outside to inside. All traffic (www, dns, ftp, etc.) works fine except ping. Whenever I do a ping from an inside host to any address outside, I get the following error messages:

6|Aug 24 2006 11:10:52|609002: Teardown local-host outside:193.222.224.104 duration 0:00:10

6|Aug 24 2006 11:10:52|302021: Teardown ICMP connection for faddr 193.222.224.104/0 gaddr 212.203.90.59/9 laddr FDFR001/8994

6|Aug 24 2006 11:10:50|302021: Teardown ICMP connection for faddr 193.222.224.104/0 gaddr 212.203.90.59/8 laddr FDFR001/8993

4|Aug 24 2006 11:10:50|106023: Deny icmp src outside:193.222.224.104 dst inside:212.203.90.59 (type 0, code 0) by access-group "outside_access_in"

6|Aug 24 2006 11:10:50|302020: Built ICMP connection for faddr 193.222.224.104/0 gaddr 212.203.90.59/9 laddr FDFR001/8994

6|Aug 24 2006 11:10:48|302021: Teardown ICMP connection for faddr 193.222.224.104/0 gaddr 212.203.90.59/7 laddr FDFR001/8992

4|Aug 24 2006 11:10:48|106023: Deny icmp src outside:193.222.224.104 dst inside:212.203.90.59 (type 0, code 0) by access-group "outside_access_in"

6|Aug 24 2006 11:10:48|302020: Built ICMP connection for faddr 193.222.224.104/0 gaddr 212.203.90.59/8 laddr FDFR001/8993

6|Aug 24 2006 11:10:46|302021: Teardown ICMP connection for faddr 193.222.224.104/0 gaddr 212.203.90.59/6 laddr FDFR001/8991

4|Aug 24 2006 11:10:46|106023: Deny icmp src outside:193.222.224.104 dst inside:212.203.90.59 (type 0, code 0) by access-group "outside_access_in"

6|Aug 24 2006 11:10:46|302020: Built ICMP connection for faddr 193.222.224.104/0 gaddr 212.203.90.59/7 laddr FDFR001/8992

6|Aug 24 2006 11:10:44|302021: Teardown ICMP connection for faddr 193.222.224.104/0 gaddr 212.203.90.59/5 laddr FDFR001/8990

4|Aug 24 2006 11:10:44|106023: Deny icmp src outside:193.222.224.104 dst inside:212.203.90.59 (type 0, code 0) by access-group "outside_access_in"

6|Aug 24 2006 11:10:44|302020: Built ICMP connection for faddr 193.222.224.104/0 gaddr 212.203.90.59/6 laddr FDFR001/8991

4|Aug 24 2006 11:10:42|106023: Deny icmp src outside:193.222.224.104 dst inside:212.203.90.59 (type 0, code 0) by access-group "outside_access_in"

6|Aug 24 2006 11:10:42|302020: Built ICMP connection for faddr 193.222.224.104/0 gaddr 212.203.90.59/5 laddr FDFR001/8990

6|Aug 24 2006 11:10:42|609001: Built local-host outside:193.222.224.104

What might be the problem?

Thanks, Meg

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: NAT problem with PIX 515E

Actually, you only have to allow the echo replies from any to any on the outside interface... If you make the following ACL on the outside, it should work...

access-list outside_access_in extended permit icmp any any echo-reply

2 REPLIES

Re: NAT problem with PIX 515E

Hi .. by the look of it it seems your access-list outside_access_in is blocking the icmp reply packets ( icmp type 0 )

You have 2 options either specically allow icmp any any on the access-list applied to the interfaces or enable icmp inspection which is disabled by default and allow icmp any any on the access-list appied to the inside only.

ICMP is a connectionless protocol and so the ASA only creates unidirectional sessions by default which must be specically allowed on the source and destination ( inside/outside) interfaces.

I hope it helps ... please rate it if it does !!!

Silver

Re: NAT problem with PIX 515E

Actually, you only have to allow the echo replies from any to any on the outside interface... If you make the following ACL on the outside, it should work...

access-list outside_access_in extended permit icmp any any echo-reply

131
Views
4
Helpful
2
Replies
CreatePlease login to create content