My firewall is running on 8.2(5)33 version. I am facing a problem where config looks fine, but still firewall is dropping packet (I saw this in packet tracer).
I am pasting packet tracer output below. In the final result, it says acl-drop, but ACL is allowing icmps as shown in phase 2. What am I missing?
fw1# packet-tracer input inside icmp 172.25.28.23 2 3 18.104.22.168
in 0.0.0.0 0.0.0.0 outside
access-group to-outside in interface inside
access-list to-outside extended permit icmp any any
nat (inside) 2 access-list nat-to-fixed-global-ip
match ip inside host 172.25.28.23 outside host 22.214.171.124
dynamic translation to pool 2 (<nat IP>)
translate_hits = 4, untranslate_hits = 0
Drop-reason: (acl-drop) Flow is denied by configured rule
Solved! Go to Solution.
It's dropping due to NAT on Phase 5 of your packet tracer output.
Check the NAT statement to see if it has been correctly configured, and if you just configure a new translation statement, make sure that you have "clear xlate".
Thanks for replying. I did "clear xlate". Still packet tracer is showing drop. Nat statement is correctly configured. If you want to check, I can share the config offline.
I tried packet tracer as you updated :
packet-tracer input inside icmp 172.25.28.23 8 0 126.96.36.199
Could you tell me what does icmp type 8 mean and icmp code 0 mean?