I've just bought a ASA 5505 to project my LAN. I've already use Cisco router in the past but it's the first time with ASA line.
Everythings work except one major point, the return trafic is blocked by the system… I don't really understand how the zone based firewall is supposed to work but it seems OK by default, my LAN side is allowed to talk with the Internet but Internet is not allowed to directly call my LAN. The NAT is setup to use the IP of my outside interface.
When I try to ping a public server, the ASA debug log show me that the communication can go out the network, with the good translation, then go back to the ASA from the public server and here, the ASA block it because the communcation is not allowed.
I've only found two workaround:
— allow inside trafic with static rules, and I say NO ;
— disable the zone based feature by settings all zone to the 0 level…
Someone can tell me how I'm supposed to make my statefull firewall work with zone based feature?
Your understanding is wrong. ASA works as a statefull.
Stateful inspection means what ever you have initiated from one zone to the other zone by default it will permit the return traffic. lets say you are accessing a web url on port 80.
www.xyz.com . If you permit port 80 on your ACL then the traffic will go out from the zone to the outside zone and the return traffic from the web server will come without any ACL statement. That is stateful.
It will go with TCP/UDP seq number for forward and reverse ... lets say 101 is for forward and 102 will be the return traffic...
But you are saying a traffic which is initiated from the internet will not be allowed by default. It should be specifically allowed to access the inside lan.
Your NAT works as it is. That will not make any difference as such like from inside or outside. It will do two way translation. Only thing is if you are accessing inside LAN server from outside it should have the public ip assigned for NAT.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :