topic Re: Deny Inbound Message in Network Security

Deny Inbound Message

tbogie_gvds — Mon, 11 Mar 2019 10:24:53 GMT

I am having an issue with trying to get a ping through a PIX515 with OS6.2(4). The message I keep getting, and I am unsure as to why, is as follows:

106011: Deny inbound (No xlate) icmp src ACCNT:ACCA2-BK_Fas00 dst ACCNT:ACCAS1_Tunnel3 (type 8, code 0)

The config is attached. I would be grateful if someone could assist please.

Thanks,

Timothy

Re: Deny Inbound Message

cmcbride — Tue, 05 Jun 2007 19:04:58 GMT

By default the PIX does not allow inbound ICMP packets. ICMP is somewhat stateless and thus Ping will not work outbound unless you explicitly allow certain packets in through the access-list. I.e.

access-list inside_access_in permit icmp any any unreachable

access-list inside_access_in permit icmp any any echo-reply

access-list inside_access_in permit icmp any any time-exceeded

access-list inside_access_in permit icmp any any traceroute

Re: Deny Inbound Message

tbogie_gvds — Thu, 07 Jun 2007 06:51:56 GMT

Wouldn't these statements do roughly the same thing?

name 172.16.4.138 ACCAS1_Tunnel3

name 172.16.4.6 ACCA2-BK_Fas00

pdm location ACCA2-BK_Fas00 255.255.255.255 inside

object-group network GRE_Tunnel_INSIDE

network-object ACCA2-BK_Fas00 255.255.255.255

object-group icmp-type Management_PING

icmp-object unreachable

icmp-object time-exceeded

icmp-object echo-reply

icmp-object source-quench

access-list inside_access_in permit icmp object-group GRE_Tunnel_INSIDE host ACCAS1_Tunnel3 echo

access-list ACCNT_access_in permit icmp host ACCAS1_Tunnel3 object-group GRE_Tunnel_INSIDE object-group Management_PING

static (inside,ACCNT) ACCA2-BK_Fas00 ACCA2-BK_Fas00 netmask 255.255.255.255 0 0

access-group inside_access_in in interface inside

access-group ACCNT_access_in in interface ACCNT

route inside 172.16.4.4 255.255.255.252 ACCANSBK_Untrust

route ACCNT ACCAS1_Tunnel3 255.255.255.255 ACCA3_FastEth00 1