|When it comes to the handling of ICMP error packets, in version R65 and below, the NAT rule base was inherited from the internal packet.
This means that the same NAT decisions would have been taken for the internal packet and the ICMP IP header, and there was no way to configure explicit rules for the ICMP Error IP header itself.
Starting in version R70, by default, it is possible to configure explicit NAT rules for ICMP Error packets. However, for routing decisions, an ICMP Error packet will go over the NAT rule base in the Outbound Chain and only after the Destination address has been translated according to the internal packet NAT rule base.
|There are two possible solutions:
1) If explicit NAT for ICMP Error packets is not required, it is possible to revert the new feature by enabling the following kernel parameter on-the-fly:
[Expert@HostName]# fw ctl set int fwx_old_icmp_nat 1
To ser this parameter permanently, refer to sk26202 or look How to Set Module Variables in IPSO 6.2 in the document below.
2) If explicit NAT is required, then the NAT rule base should match the packet after its destination has been translated
How to Set Module Variables in IPSO 6.2
Establish a command line connection to the IPSO appliance.
1 – At the IPSO shell prompt, enter the command:
dbset advanced:loader t
2 – Open Voyager (or exit Voyager and run it again if Voyager was open when you entered the previous command).
3 – Click Configuration → Tools → Firewall Kernel Tuning in the navigation tree.
4 – Edit the appropriate variable value exactly as it shown in the attached image:
5 – Hit “Save Config” button.
6 – Reboot and check if the parameter is active with the command below:
[Expert@HostName]# fw ctl get int fwx_old_icmp_nat
Your output should be: “fwx_old_icmp_nat = 1”