husycisco Thu, 10/30/2008 - 06:05
User Badges:
  • Gold, 750 points or more

Hello Gabi,

Sure, this is what firewalls are built for primarily. By default, traffic from an interface with a higher security level (inside with 100) is permitted to interface with lower security level (outside with 0). Only return traffic is allowed.


Regards

gabriel.gearip Thu, 10/30/2008 - 07:34
User Badges:

Sorry for my ignorance but I'm trying to understand this :)

Of course, you're right. Still, I'm having trouble returning the traffic.

I'm pinging from a machine behind inside interface (100) to a maching behind outside (0). I'm sniffing the traffic on the outside and I see the ping request being received and the ping reply being sent. Still, the ASA is denying the ping reply to come back:


%ASA-3-106014: Deny inbound icmp src interface_name: IP_address dst

interface_name: IP_address (type dec, code dec)


Thanks.

Gabi

gabriel.gearip Thu, 10/30/2008 - 07:37
User Badges:

...and here's my answer, I didn't see it becouse of my nose :) :


The security appliance denied any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted.


Gabi

husycisco Thu, 10/30/2008 - 07:42
User Badges:
  • Gold, 750 points or more

Gabi,

Its not your fault actually. "By default, all ICMP packets are denied access unless specifically permitted. "

A better way of saying this is "By default, ASA does not inspect ICMP traffic to permit the return traffic"

So add the following


policy-map global_policy

class inspection_default

inspect icmp

You can not benefit from the Stateful firewall so it lets the return traffic if you dont tell it to inspect the state of specific traffic or protocol.


Regards


Actions

This Discussion