https://community.cisco.com/t5/network-security/packet-tracer-showing-drop/m-p/2057893#M402615 <HTML><HEAD></HEAD><BODY><P> I tried packet tracer as you updated : </P><P>packet-tracer input inside icmp 172.25.28.23 8 0 1.1.1.1</P><P></P><P>Could you tell me what does icmp type 8 mean and icmp code 0 mean?</P></BODY></HTML> Wed, 17 Oct 2012 07:12:59 GMT Kashish_Patel 2012-10-17T07:12:59Z https://community.cisco.com/t5/network-security/packet-tracer-showing-drop/m-p/2057889#M402607 <P>My firewall is running on 8.2(5)33 version. I am facing a problem where config looks fine, but still firewall is dropping packet (I saw this in packet tracer).</P><P>I am pasting packet tracer output below. In the final result, it says acl-drop, but ACL is allowing icmps as shown in phase 2. What am I missing?</P><P></P><P>fw1# packet-tracer input inside icmp 172.25.28.23 2 3 1.1.1.1</P><P></P><P>Phase: 1</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; 0.0.0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0.0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; outside</P><P></P><P>Phase: 2</P><P>Type: ACCESS-LIST</P><P>Subtype: log</P><P>Result: ALLOW</P><P>Config:</P><P>access-group to-outside in interface inside</P><P>access-list to-outside extended permit icmp any any </P><P>Additional Information:</P><P></P><P>Phase: 3</P><P>Type: IP-OPTIONS</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P>Phase: 4</P><P>Type: INSPECT</P><P>Subtype: np-inspect</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P>Phase: 5</P><P>Type: NAT</P><P>Subtype: </P><P>Result: DROP</P><P>Config:</P><P>nat (inside) 2 access-list nat-to-fixed-global-ip</P><P>&nbsp; match ip inside host 172.25.28.23 outside host 1.1.1.1</P><P>&nbsp;&nbsp;&nbsp; dynamic translation to pool 2 (&lt;nat IP&gt;)</P><P>&nbsp;&nbsp;&nbsp; translate_hits = 4, untranslate_hits = 0</P><P>Additional Information:</P><P></P><P>Result:</P><P>input-interface: inside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: outside</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: drop</P><P>Drop-reason: (acl-drop) Flow is denied by configured rule</P> Tue, 12 Mar 2019 00:10:29 GMT https://community.cisco.com/t5/network-security/packet-tracer-showing-drop/m-p/2057889#M402607 Kashish_Patel 2019-03-12T00:10:29Z https://community.cisco.com/t5/network-security/packet-tracer-showing-drop/m-p/2057890#M402609 <HTML><HEAD></HEAD><BODY><P>It's dropping due to NAT on Phase 5 of your packet tracer output.</P><P>Check the NAT statement to see if it has been correctly configured, and if you just configure a new translation statement, make sure that you have "clear xlate".</P></BODY></HTML> Wed, 17 Oct 2012 05:32:02 GMT https://community.cisco.com/t5/network-security/packet-tracer-showing-drop/m-p/2057890#M402609 Jennifer Halim 2012-10-17T05:32:02Z https://community.cisco.com/t5/network-security/packet-tracer-showing-drop/m-p/2057891#M402611 <HTML><HEAD></HEAD><BODY><P>Hi Jennifer,</P><P></P><P>Thanks for replying. I did "clear xlate". Still packet tracer is showing drop. Nat statement is correctly configured. If you want to check, I can share the config offline.</P><P></P><P>Thanks.</P></BODY></HTML> Wed, 17 Oct 2012 06:01:39 GMT https://community.cisco.com/t5/network-security/packet-tracer-showing-drop/m-p/2057891#M402611 Kashish_Patel 2012-10-17T06:01:39Z https://community.cisco.com/t5/network-security/packet-tracer-showing-drop/m-p/2057892#M402612 <HTML><HEAD></HEAD><BODY><P>What are you trying to test with packet tracer?</P><P>Ping? if it is, then it should have been:</P><P></P><P>packet-tracer input inside icmp 172.25.28.23 8 0 1.1.1.1</P></BODY></HTML> Wed, 17 Oct 2012 06:57:52 GMT https://community.cisco.com/t5/network-security/packet-tracer-showing-drop/m-p/2057892#M402612 Jennifer Halim 2012-10-17T06:57:52Z https://community.cisco.com/t5/network-security/packet-tracer-showing-drop/m-p/2057893#M402615 <HTML><HEAD></HEAD><BODY><P> I tried packet tracer as you updated : </P><P>packet-tracer input inside icmp 172.25.28.23 8 0 1.1.1.1</P><P></P><P>Could you tell me what does icmp type 8 mean and icmp code 0 mean?</P></BODY></HTML> Wed, 17 Oct 2012 07:12:59 GMT https://community.cisco.com/t5/network-security/packet-tracer-showing-drop/m-p/2057893#M402615 Kashish_Patel 2012-10-17T07:12:59Z https://community.cisco.com/t5/network-security/packet-tracer-showing-drop/m-p/2057894#M402616 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P><A href="http://www.nthelp.com/icmp.html">http://www.nthelp.com/icmp.html</A></P><P></P><P>Regards.</P><P></P><P>Alain</P><P></P><P></P><P>Don't forget to rate helpful posts.</P></BODY></HTML> Wed, 17 Oct 2012 07:22:30 GMT https://community.cisco.com/t5/network-security/packet-tracer-showing-drop/m-p/2057894#M402616 cadet alain 2012-10-17T07:22:30Z