Hello Naman,
I came across this explanantion for the ´icmperr´ issue:
'icmperr' entry was introduced from 12.1(10.1).
Prior to this version, if a NAT box with overload configured receives an ICMP error message, NAT tries to allocate an address (as opposed to address+port) and to create a simple entry.
This means that if:
- the box is configured with interface overload or
- all the addresses in the overloaded pool are used
the route drops the ICMP error packet...
Now:
Instead of dropping the packet the route just picks any address (from the pool, or from the interface) and it creates a simple entry with a special value in the protocol field (proto=icmperr). This simple entry is used ONLY to translate ICMP errors coming from that particular Inside host.
The entry times out in 1 minute.´
HTH,
GP