ICMP Problem whilst using PAT on Pix

g.watt · ‎04-19-2005

I currently have PAT enabled on our Pix, I can connect to the Net however whenever I try to ping I can see the ICMP packets getting dropped on the way back in. I have a default rule permitting IP outbound from any internal address. My understanding is that the session should keep a port open whilst I am initiating the ping. My only thoughts are that the ping is getting dropped because the Pix is seeing this as a session, which is being initiated from the remote site. Can anyone offer an explanation to this?

Patrick Iseli · ‎04-20-2005

ICMP is not a stateful protocol !

Thats why even from the inside network with PAT,NAT and no access-list on the ionside network ping will not work.

You need to create an access-list that permits the icmp traffic traveling interfaces. And to ping the same interface that you are connected to, example ping inside IP from an inside host you need to configure the "icmp" command.

examples:

Traceroute

Microsoft:

access-group 101 in interface outside

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

access-list 101 permit icmp any host YourPublicIP echo-reply

UNIX:

access-group 101 in interface outside

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

ICMP command example

icmp deny any outside

icmp permit any echo-reply outside

icmp permit any echo-reply inside

icmp permit host 192.168.1.30 echo inside

icmp permit host 192.168.1.31 echo inside

icmp permit host 192.168.1.20 echo inside

icmp permit host 192.168.1.40 echo inside

icmp permit host 192.168.1.100 echo inside

See: Handling ICMP Pings with the PIX Firewall

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

The PIX and the traceroute Command

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

sincerely

Patrick