topic Re: ICMP echo-request: untranslating outside in Network Security

ICMP echo-request: untranslating outside

hassepedro50 — Mon, 11 Mar 2019 10:04:26 GMT

Hi please Help if you can

I'm trying to access from the outside interface using ping from a router 172.24.16.5, where there is a

ip route 172.24.16.8 255.255.255.255 172.24.16.7

The device i'm trying to ping is on the inside side of the pix and has ip of 10.10.10.175 and responds to ping from the PIX

the router 172.24.16.5 on the outside side of the pix also reponds to pings from the pix

Enabling debug iCMP trace and pinging 172.24.16.8 from the router 172.24.16.5 i do get the following messages

----------------------------------------------------------------------------------------------------

macaefw2# debug icmp trace

ICMP trace on

Warning: this may cause problems on busy networks

macaefw2# 102: ICMP echo-request from outside:172.24.16.5 to 172.24.16.8 ID=56 seq=0 length=80

103: ICMP echo-request: untranslating outside:172.24.16.8 to inside:10.10.10.175

104: ICMP echo-request from outside:172.24.16.5 to 172.24.16.8 ID=56 seq=1 length=80

105: ICMP echo-request: untranslating outside:172.24.16.8 to inside:10.10.10.175

From the sh log enabled i do see

--------------------------------

605005: Login permitted from 172.22.20.142/3876 to outside:172.24.16.7/ssh for user "acergy"

111008: User 'enable_15' executed the 'debug icmp trace' command.

106100: access-list acl_outside permitted icmp outside/172.24.16.5(0) -> inside/172.24.16.8(8) hit-cnt 1 (first hit)

Also doing sh Xlate i see

---------------------------

1 in use, 1 most used

Global 172.24.16.8 Local 10.10.10.175

The full configuration is below. Can you please tell me why ping does not work?

-------------------------------------------------------------------------------

Re: ICMP echo-request: untranslating outside

ecouto — Thu, 26 Apr 2007 10:12:22 GMT

silly question: the host 10.10.10.175 has the a route back to the pix for the network 172.24.16.0/24 or default gateway?

Cheers,

Emilio

Re: ICMP echo-request: untranslating outside

mark.j.hodge — Thu, 26 Apr 2007 10:25:09 GMT

In order for you to initiate traffic from the outside, you either need a static mapping from an outside address to an inside address. Or to exempt the traffic from translation using a "nat 0" command.

Re: ICMP echo-request: untranslating outside

ecouto — Thu, 26 Apr 2007 10:27:45 GMT

If you look the config file (Pix Problem.txt), he have an static already for this.

static (inside,outside) 172.24.16.8 10.10.10.175 netmask 255.255.255.255 0 0

Emilio

Re: ICMP echo-request: untranslating outside

hassepedro50 — Thu, 26 Apr 2007 10:33:27 GMT

Not silly at all. The divice is display that controls a big crane. Route probably cannot be configured on it. I'm trying a proper PC on the same network this afertnooon. Also i thing that the IP setting on the display are IP 10.10.10.175 255.255.255.0 and no default gateway

Re: ICMP echo-request: untranslating outside

Jon Marshall — Thu, 26 Apr 2007 11:55:14 GMT

As already suggested it does look like it could be a routing issue.

If the pix can ping the server on it's 10.10.10.175 address one thing you could do is translate the 172.24.16.5 address to the IP address of the internal interface of the pix ie

nat (outside) 1 172.24.16.5 255.255.255.255 outside

global (inside) 1 interface

One caveat is that its clear on your full topology so this might mess other things up.

HTH

Jon

Re: ICMP echo-request: untranslating outside

hassepedro50 — Thu, 26 Apr 2007 12:44:29 GMT

Thanks that sort the issue. Can you please just clarify that it might not be working the other way because of the lack of defult gateway configuration on the server .175 . This is because its not a server it's a special device that controlls a huge Crane

Re: ICMP echo-request: untranslating outside

Jon Marshall — Thu, 26 Apr 2007 13:01:12 GMT

Yes if you initiate the connection from the device it probably won't work.

What you could do that may work is. Instead of natting the router IP 172.24.16.5 to the inside pix interface you could NAT it to spare 10.10.10.x address. This address needs to be in the same subnet as your .175 server.

So say 10.10.10.182 is spare.

nat (outside) 1 172.24.16.5 255.255.255.255 outside

global (inside) 1 10.10.10.182

If the address is in the same subnet as the pix internal interface then the pix should respond to the arp from your .175 server.

So from the .175 server you need to ping 10.10.10.182.

It might not work but it would be worth a try.

HTH

Jon

Re: ICMP echo-request: untranslating outside

Jon Marshall — Thu, 26 Apr 2007 13:10:55 GMT

Amendment to previous post.

Use spare IP address 10.10.10.182.

Don't use NAT and global statements, so remove the existing one you setup for this.

Add

static (outside,inside) 10.10.10.182 172.16.24.5 netmask 255.255.255.255

Apologies for this

HTH

Jon

Re: ICMP echo-request: untranslating outside

ecouto — Thu, 26 Apr 2007 13:17:39 GMT

Hey Jon, Can you do statics like that in version 6.3(4)?

Emilio

Re: ICMP echo-request: untranslating outside

Jon Marshall — Thu, 26 Apr 2007 13:20:19 GMT

Hi Emilio

I have a pix 515E running 6.3(3) and i have a lot of these type of static commands on then so i can't see why 6.3(4) wouldn't work.

HTH

Jon

Re: ICMP echo-request: untranslating outside

ecouto — Thu, 26 Apr 2007 13:34:33 GMT

Just asking because version 6.3 and version 7 change the way of you can create statics and NATs. If you have in use must work then.

Emilio