Problems with stablished in ASA 5540

Unanswered Question
Aug 29th, 2008
User Badges:

Hi all,

I'm having a problem with the established connections through an ASA 5540 firewall.

The scenario contains two interfaces, outside and inside.

I want to allow navigation and ICMP connection from hosts from the inside with a NAT configured public IP on the outside interface, to internet sites.

So, once configured the NAT rule, I configured the security policy to allow ICMP from the outside, and navigation only to the inside hosts I want to allow.

The problem is that I have to create TWO rules instead of one, in order to allow any connections between hosts in the inside and the outside, one from inside host/net to the outside, and the opposite one.

It is supposed that connectivity from interfaces with higher priority to lower priority is allowed, so it should be only neccesary to configure the rule from the lower to the higher priority interface.

Any help will be much appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
andrew.prince@m... Fri, 08/29/2008 - 06:40
User Badges:
  • Green, 3000 points or more

Sounds like a NAT issue you have - post your config, removing sensitive info, IP's passwords etc.

Farrukh Haroon Fri, 08/29/2008 - 10:02
User Badges:
  • Red, 2250 points or more

For TCP/UDP etc you only need to allow it in the higher security interface (if you have defined a custom ACL on the inside interface). Otherwise by default ALL traffic from higher-sec >> loser-sec will be allowed, this includes all the return traffic. But this is not valid for ICMP. For ICMP you need to allow it on the outside interface or enable 'ICMP Inspection' in the global policy-map (The latter is the preferred option).

Are you getting any hits on the outside interface ACL for non-icmp traffic (the second line)? You can check this via show access-list



acotelcom Mon, 09/01/2008 - 04:14
User Badges:

The first at all, thanks in advance.

My configuration is like in a PIX, where i need to open with a ACL the traffic from a minor to a higher level, and a NAT rule from the higher to the minor.

With that configuration, where i let all traffic by IP in the outside interface, i have an entry in the syslog:

%ASA-6-106015: Deny TCP (no connection) from to flags SYN ACK on interface Intranet

That is my principal problem. The ASA don't let me pass the traffic in established comunications.

Farrukh Haroon Wed, 09/03/2008 - 12:25
User Badges:
  • Red, 2250 points or more

I think you are looking at the wrong syslog. This message could also come because the connection timed out on the PIX/ASA and the Intranet host keeps sending data for the same session thinking its still valid.




This Discussion