cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
615
Views
0
Helpful
3
Replies

ASA 5505 and return trafic?

ygi
Level 1
Level 1

Hello,

I've just bought a ASA 5505 to project my LAN. I've already use Cisco router in the past but it's the first time with ASA line.

Everythings work except one major point, the return trafic is blocked by the system… I don't really understand how the zone based firewall is supposed to work but it seems OK by default, my LAN side is allowed to talk with the Internet but Internet is not allowed to directly call my LAN. The NAT is setup to use the IP of my outside interface.

When I try to ping a public server, the ASA debug log show me that the communication can go out the network, with the good translation, then go back to the ASA from the public server and here, the ASA block it because the communcation is not allowed.

I've only found two workaround:

— allow inside trafic with static rules, and I say NO ;

— disable the zone based feature by settings all zone to the 0 level…

Someone can tell me how I'm supposed to make my statefull firewall work with zone based feature?

Best regards,

Yoann Gini

1 Accepted Solution

Accepted Solutions

Luis Silva Benavides
Cisco Employee
Cisco Employee

Hi Yoann,

As you know ping is stateles so even if you ping from inside it will be denied if you don't open the outside ACL or add the ICMP inspection. This will be from inside to outside

In regards to inbound comunication (outiside access to inside)

What version are you running?

What is your current NAT configuration?

Can you provide some syslogs when you attemp the inbound ICMP?

Luis Silva

Luis Silva

View solution in original post

3 Replies 3

nkarthikeyan
Level 7
Level 7

Hi Yoann,

Your understanding is wrong. ASA works as a statefull.

Stateful inspection means what ever you have initiated from one zone to the other zone by default it will permit the return traffic. lets say you are accessing a web url on port 80.

www.xyz.com . If you permit port 80 on your ACL then the traffic will go out from the zone to the outside zone and the return traffic from the web server will come without any ACL statement. That is stateful.

It will go with TCP/UDP seq number for forward and reverse ... lets say 101 is for forward and 102 will be the return traffic...

But you are saying a traffic which is initiated from the internet will not be allowed by default. It should be specifically allowed to access the inside lan.

Your NAT works as it is. That will not make any difference as such like from inside or outside. It will do two way translation. Only thing is if you are accessing inside LAN server from outside it should have the public ip assigned for NAT.

Hope this clarifies your query.

Please do rate if the given information helps.

By

Karthik

Luis Silva Benavides
Cisco Employee
Cisco Employee

Hi Yoann,

As you know ping is stateles so even if you ping from inside it will be denied if you don't open the outside ACL or add the ICMP inspection. This will be from inside to outside

In regards to inbound comunication (outiside access to inside)

What version are you running?

What is your current NAT configuration?

Can you provide some syslogs when you attemp the inbound ICMP?

Luis Silva

Luis Silva

Damned…

Still take fresh air when you don't understand why things seems wrong…

Indeed, I've start my test with ping and as long it didn't work I've not try upper protocol…

So, all statefull communication work well and stateless should be open.

Thank you for bring me out of my wrong way !

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: