I have a rule from inside interface (security 100) to ping a server on a DMZ interface (secuirty 40). But I dont have the same rule other way around (from dmz to inside). When I do a ping the return ping packet from DMZ interface is dropped by the firewall.
Any idea why? Do I really need a rule for return ping traffic as well.
What code version you are running? With ICMP packet in each direction is
treated as a separate flow. If you have not enabled ICMP inspection (or icmp
fixup) then the firewall will drop the return icmp traffic. In that case,
you need to exclusively allow return ICMP traffic through access-lists.
Hope this helps.