Can the PIX/ASA 8.0(4) issue rejects?

Unanswered Question
Mar 3rd, 2010
User Badges:

I have gone through all the docs but cannot find any mention on how to set up a "reject" instead of the regular "deny" in an access rule.  I have some legacy Checkpoint Firewalls and want to migrate them over to some of my ASAs.  Some rules ont he Checkpoint specifically state "reject" (for NetBIOS stuff etc.).  Is this possible ont he ASA?


How do you "reject" certain traffic, while still doing a "deny" and a "permit" on other traffic?


Thanks

Joerg

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Wed, 03/03/2010 - 08:13
User Badges:
  • Cisco Employee,

It depends on what you mean by reject. If you mean sending a Reset then you can enable it global with "service resetinbound" and "service resetoutbound" for packets denies by ACLs.


I hope it helps.


PK

joerggrau Wed, 03/03/2010 - 08:47
User Badges:

So it is a global setting?  So I need to decide if I want a reset send for every deny or non at all?

Panos Kampanakis Wed, 03/03/2010 - 09:04
User Badges:
  • Cisco Employee,

Unfortunately you cannot do it on a per rule basis.

For protocols that the ASA can inspect like http etc, you can send resets based on matched criteria and that is done using class maps and policy maps. not use what you protocols are, so I am not sure.


PK

Actions

This Discussion

Related Content