Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5479
Views
0
Helpful
5
Replies

packet tracer showing drop

Go to solution
Kashish_Patel
Level 2
Level 2

‎10-16-2012 10:23 PM - edited ‎03-11-2019 05:10 PM

My firewall is running on 8.2(5)33 version. I am facing a problem where config looks fine, but still firewall is dropping packet (I saw this in packet tracer).

I am pasting packet tracer output below. In the final result, it says acl-drop, but ACL is allowing icmps as shown in phase 2. What am I missing?

fw1# packet-tracer input inside icmp 172.25.28.23 2 3 1.1.1.1

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group to-outside in interface inside

access-list to-outside extended permit icmp any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside) 2 access-list nat-to-fixed-global-ip

  match ip inside host 172.25.28.23 outside host 1.1.1.1

    dynamic translation to pool 2 (<nat IP>)

    translate_hits = 4, untranslate_hits = 0

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Kashish_Patel

‎10-16-2012 11:57 PM

What are you trying to test with packet tracer?

Ping? if it is, then it should have been:

packet-tracer input inside icmp 172.25.28.23 8 0 1.1.1.1

View solution in original post

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Kashish_Patel

‎10-17-2012 12:22 AM

Hi,

http://www.nthelp.com/icmp.html

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-16-2012 10:32 PM

It's dropping due to NAT on Phase 5 of your packet tracer output.

Check the NAT statement to see if it has been correctly configured, and if you just configure a new translation statement, make sure that you have "clear xlate".

0 Helpful

Go to solution
Kashish_Patel
Level 2
Level 2
In response to Jennifer Halim

‎10-16-2012 11:01 PM

Hi Jennifer,

Thanks for replying. I did "clear xlate". Still packet tracer is showing drop. Nat statement is correctly configured. If you want to check, I can share the config offline.

Thanks.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Kashish_Patel

‎10-16-2012 11:57 PM

What are you trying to test with packet tracer?

Ping? if it is, then it should have been:

packet-tracer input inside icmp 172.25.28.23 8 0 1.1.1.1

0 Helpful

Go to solution
Kashish_Patel
Level 2
Level 2
In response to Jennifer Halim

‎10-17-2012 12:12 AM

I tried packet tracer as you updated :

packet-tracer input inside icmp 172.25.28.23 8 0 1.1.1.1

Could you tell me what does icmp type 8 mean and icmp code 0 mean?

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Kashish_Patel

‎10-17-2012 12:22 AM

Hi,

http://www.nthelp.com/icmp.html

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card