cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


3356
Views
5
Helpful
1
Replies
Highlighted
Beginner

How NAT/PAT handle icmp traffic in CISCO ASA?

I've been having thoughts about this for a while. We know that PAT uses  TCP/UDP port numbers to distinguish between inside hosts via a mapping  table for private IPs, internal/external ports and all that stuff, all  happen so that the return packets from outside (despite having the same  destination IP) will remap and reach the correct inside host.

Now how can ping/icmp replies route back to the inside while we know  ICMP is not at the TCP/UDP level, so it does NOT use port numbers at  all? Any idea? May be I'm missing some thing.

Practically, I'm behind PAT and I can always ping outside.

Everyone's tags (4)
1 REPLY 1
Cisco Employee

How NAT/PAT handle icmp traffic in CISCO ASA?

Your question is exactly, literally, exactly as this one:

http://www.firewall.cx/forum/2-basic-concepts/27492-how-natpat-handles-pingicmp.html

It just uses low port numbers:

ICMP PAT from inside:172.16.x.5/6 to outside:x.x.x.x/6 flags ri idle 0:00:00 timeout 0:00:30

ICMP PAT from inside:172.16.x.5/5 to outside:x.x.x.x/5 flags ri idle 0:00:06 timeout 0:00:30

ICMP PAT from inside:172.16.x.5/4 to outside:x.x.x.x/4 flags ri idle 0:00:22 timeout 0:00:30

Mike

Mike