Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
364
Views
0
Helpful
2
Replies

PIX NAT denying ICMP and other Traffic for Remote Hosts

dwrscisco
Level 1
Level 1

‎12-11-2004 02:24 AM - edited ‎02-20-2020 11:48 PM

I have PIX 6.3(3) with six interfaces configured with NAT. One of them is connected to DMZ2, in DMZ2 I have a router connected to a remote site's router.

CONFIGURATION:

NAT (dmz2) 1 0 0

global (dmz2) 1 interface

- there is no access-list nor NAT on the routers, i.e. when the packet received from the remote host at the PIX as the original source IP Address.

PROBLEM:

- The remote user is not able to receive replies to ICMP request to a host on the internet

- and it cannot sync with NTP server on the internet

SOLUTION (I don't want to do):

I have to do STATIC (dmz2,outside) ip_out ip_dmz2

for the remote host, to be able to get ICMP replies and sync to NTP servers on the internet.

Am I missing or misconfiguring a thing on the PIX ?

I don't want to use a separate global (internet) IP address for each and every remote PC that wants to connect to the internet...

Any advise. THANKS IN ADVANCE

Shamsan

0 Helpful
2 Replies 2

Patrick Iseli
Level 7
Level 7

‎12-11-2004 05:27 PM

ICMP is not a stateful protocol.

1.) To permit icmp traffic traveling from one interface on an other interface on the PIX you need to permit that in the access-list. Of course in consideration with the security level.

2.) If you want to to be able to ping your own interface, that one that you are connected to.

You need to configure the " icmp " command.

Syntax: icmp permit|deny [host] src_addr

[src_mask] [type] int_name

SEE: Handling ICMP Pings with the PIX Firewall

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

sincerely

Patrick

0 Helpful

dwrscisco
Level 1
Level 1
In response to Patrick Iseli

‎12-11-2004 08:00 PM

Hello Patrick,

Thanks for the info.

My problem is not with Allow or Deny, I can make the ICMP work very easly. I believe I have consfused readers with the ICMP example.

My problem is exactly with NTP, that the remote host is not able to Sync. with the NTP server on the internet.

I am able to solve this problem in one way only, which is by doing STATIC NAT on pix for this remote host to the outside word, i.e., he can Sync. with NTP server on internet and PING anywhere as well.

My problem I do not want to do STATIC NAT and start giving remote hosts Public IP Addresses (internet addresses) because this means for each and every remote host I have to buy an internet IP address to do NTP !!

I hope this clearifies the problem more.

Thanks,

Shamsan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card