https://community.cisco.com/t5/network-security/icmp-problem-whilst-using-pat-on-pix/m-p/360015#M549061 <HTML><HEAD></HEAD><BODY><P>ICMP is not a stateful protocol ! </P><P></P><P>Thats why even from the inside network with PAT,NAT and no access-list on the ionside network ping will not work. </P><P></P><P>You need to create an access-list that permits the icmp traffic traveling interfaces. And to ping the same interface that you are connected to, example ping inside IP from an inside host you need to configure the "icmp" command.</P><P></P><P>examples:</P><P></P><P>Traceroute</P><P>Microsoft:</P><P>access-group 101 in interface outside</P><P>access-list 101 permit icmp any host YourPublicIP unreachable</P><P>access-list 101 permit icmp any host YourPublicIP time-exceeded</P><P>access-list 101 permit icmp any host YourPublicIP echo-reply</P><P></P><P>UNIX:</P><P>access-group 101 in interface outside</P><P>access-list 101 permit icmp any host YourPublicIP unreachable</P><P>access-list 101 permit icmp any host YourPublicIP time-exceeded</P><P></P><P>ICMP command example</P><P>icmp deny any outside</P><P>icmp permit any echo-reply outside</P><P>icmp permit any echo-reply inside</P><P>icmp permit host 192.168.1.30 echo inside</P><P>icmp permit host 192.168.1.31 echo inside</P><P>icmp permit host 192.168.1.20 echo inside</P><P>icmp permit host 192.168.1.40 echo inside</P><P>icmp permit host 192.168.1.100 echo inside</P><P></P><P>See: Handling ICMP Pings with the PIX Firewall</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml</A></P><P></P><P>The PIX and the traceroute Command</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml</A></P><P></P><P>sincerely</P><P>Patrick</P></BODY></HTML> Wed, 20 Apr 2005 11:24:41 GMT Patrick Iseli 2005-04-20T11:24:41Z https://community.cisco.com/t5/network-security/icmp-problem-whilst-using-pat-on-pix/m-p/360014#M549060 <P>I currently have PAT enabled on our Pix, I can connect to the Net however whenever I try to ping I can see the ICMP packets getting dropped on the way back in. I have a default rule permitting IP outbound from any internal address. My understanding is that the session should keep a port open whilst I am initiating the ping. My only thoughts are that the ping is getting dropped because the Pix is seeing this as a session, which is being initiated from the remote site. Can anyone offer an explanation to this?</P> Fri, 21 Feb 2020 08:05:36 GMT https://community.cisco.com/t5/network-security/icmp-problem-whilst-using-pat-on-pix/m-p/360014#M549060 g.watt 2020-02-21T08:05:36Z https://community.cisco.com/t5/network-security/icmp-problem-whilst-using-pat-on-pix/m-p/360015#M549061 <HTML><HEAD></HEAD><BODY><P>ICMP is not a stateful protocol ! </P><P></P><P>Thats why even from the inside network with PAT,NAT and no access-list on the ionside network ping will not work. </P><P></P><P>You need to create an access-list that permits the icmp traffic traveling interfaces. And to ping the same interface that you are connected to, example ping inside IP from an inside host you need to configure the "icmp" command.</P><P></P><P>examples:</P><P></P><P>Traceroute</P><P>Microsoft:</P><P>access-group 101 in interface outside</P><P>access-list 101 permit icmp any host YourPublicIP unreachable</P><P>access-list 101 permit icmp any host YourPublicIP time-exceeded</P><P>access-list 101 permit icmp any host YourPublicIP echo-reply</P><P></P><P>UNIX:</P><P>access-group 101 in interface outside</P><P>access-list 101 permit icmp any host YourPublicIP unreachable</P><P>access-list 101 permit icmp any host YourPublicIP time-exceeded</P><P></P><P>ICMP command example</P><P>icmp deny any outside</P><P>icmp permit any echo-reply outside</P><P>icmp permit any echo-reply inside</P><P>icmp permit host 192.168.1.30 echo inside</P><P>icmp permit host 192.168.1.31 echo inside</P><P>icmp permit host 192.168.1.20 echo inside</P><P>icmp permit host 192.168.1.40 echo inside</P><P>icmp permit host 192.168.1.100 echo inside</P><P></P><P>See: Handling ICMP Pings with the PIX Firewall</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml</A></P><P></P><P>The PIX and the traceroute Command</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml</A></P><P></P><P>sincerely</P><P>Patrick</P></BODY></HTML> Wed, 20 Apr 2005 11:24:41 GMT https://community.cisco.com/t5/network-security/icmp-problem-whilst-using-pat-on-pix/m-p/360015#M549061 Patrick Iseli 2005-04-20T11:24:41Z