Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
586
Views
0
Helpful
1
Replies

%PIX-3-10601: Deny inbound (No Xlate) icmp

jeffrey_goodman
Level 1
Level 1

‎11-20-2001 09:22 AM - edited ‎03-08-2019 09:13 PM

Hello,

I cannot find an adequate explanation of this error:

Nov 20 01:19:24 10.6.0.128 %PIX-3-106011: Deny inbound (No xlate) icmp src external:202.148.1.232 dst external:63.111.13.100 (type 3, code 1)

It occurs frequently, in a periodic series of errors, as if it is some kind of port scan.

Any thoughts?

Labels:
0 Helpful
1 Reply 1

brford
Cisco Employee
Cisco Employee

‎11-22-2001 07:50 AM

Jeffrey,

First go to Google and search for ICMP codes. Find a site that explains the ICMP codes and book mark it. It becomes a valuable reference when reading logs.

The type 3, code 1 message is "destination unreachable, host unreachable". It can come from many things, including a port scan. You should next try and figure out if the source or destination is in your network. WHy are you seeing this at the firewall? Is the source / destination always the same IP or a range of IPs?

Liberty for All,

Brian

Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.
0 Helpful
Customers Also Viewed These Support Documents