cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4261
Views
5
Helpful
1
Replies

How NAT/PAT handle icmp traffic in CISCO ASA?

vijay1926
Beginner
Beginner

I've been having thoughts about this for a while. We know that PAT uses  TCP/UDP port numbers to distinguish between inside hosts via a mapping  table for private IPs, internal/external ports and all that stuff, all  happen so that the return packets from outside (despite having the same  destination IP) will remap and reach the correct inside host.

Now how can ping/icmp replies route back to the inside while we know  ICMP is not at the TCP/UDP level, so it does NOT use port numbers at  all? Any idea? May be I'm missing some thing.

Practically, I'm behind PAT and I can always ping outside.

1 Reply 1

Maykol Rojas
Cisco Employee
Cisco Employee

Your question is exactly, literally, exactly as this one:

http://www.firewall.cx/forum/2-basic-concepts/27492-how-natpat-handles-pingicmp.html

It just uses low port numbers:

ICMP PAT from inside:172.16.x.5/6 to outside:x.x.x.x/6 flags ri idle 0:00:00 timeout 0:00:30

ICMP PAT from inside:172.16.x.5/5 to outside:x.x.x.x/5 flags ri idle 0:00:06 timeout 0:00:30

ICMP PAT from inside:172.16.x.5/4 to outside:x.x.x.x/4 flags ri idle 0:00:22 timeout 0:00:30

Mike

Mike
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers