Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 5505 and return trafic?

Hello,

I've just bought a ASA 5505 to project my LAN. I've already use Cisco router in the past but it's the first time with ASA line.

Everythings work except one major point, the return trafic is blocked by the system… I don't really understand how the zone based firewall is supposed to work but it seems OK by default, my LAN side is allowed to talk with the Internet but Internet is not allowed to directly call my LAN. The NAT is setup to use the IP of my outside interface.

When I try to ping a public server, the ASA debug log show me that the communication can go out the network, with the good translation, then go back to the ASA from the public server and here, the ASA block it because the communcation is not allowed.

I've only found two workaround:

— allow inside trafic with static rules, and I say NO ;

— disable the zone based feature by settings all zone to the 0 level…

Someone can tell me how I'm supposed to make my statefull firewall work with zone based feature?

Best regards,

Yoann Gini

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

ASA 5505 and return trafic?

Hi Yoann,

As you know ping is stateles so even if you ping from inside it will be denied if you don't open the outside ACL or add the ICMP inspection. This will be from inside to outside

In regards to inbound comunication (outiside access to inside)

What version are you running?

What is your current NAT configuration?

Can you provide some syslogs when you attemp the inbound ICMP?

Luis Silva

Luis Silva "If you need PDI (Planning, Design, Implement) assistance feel free to reach us" http://www.cisco.com/web/partners/tools/pdihd.html
3 REPLIES

ASA 5505 and return trafic?

Hi Yoann,

Your understanding is wrong. ASA works as a statefull.

Stateful inspection means what ever you have initiated from one zone to the other zone by default it will permit the return traffic. lets say you are accessing a web url on port 80.

www.xyz.com . If you permit port 80 on your ACL then the traffic will go out from the zone to the outside zone and the return traffic from the web server will come without any ACL statement. That is stateful.

It will go with TCP/UDP seq number for forward and reverse ... lets say 101 is for forward and 102 will be the return traffic...

But you are saying a traffic which is initiated from the internet will not be allowed by default. It should be specifically allowed to access the inside lan.

Your NAT works as it is. That will not make any difference as such like from inside or outside. It will do two way translation. Only thing is if you are accessing inside LAN server from outside it should have the public ip assigned for NAT.

Hope this clarifies your query.

Please do rate if the given information helps.

By

Karthik

Cisco Employee

ASA 5505 and return trafic?

Hi Yoann,

As you know ping is stateles so even if you ping from inside it will be denied if you don't open the outside ACL or add the ICMP inspection. This will be from inside to outside

In regards to inbound comunication (outiside access to inside)

What version are you running?

What is your current NAT configuration?

Can you provide some syslogs when you attemp the inbound ICMP?

Luis Silva

Luis Silva "If you need PDI (Planning, Design, Implement) assistance feel free to reach us" http://www.cisco.com/web/partners/tools/pdihd.html
New Member

ASA 5505 and return trafic?

Damned…

Still take fresh air when you don't understand why things seems wrong…

Indeed, I've start my test with ping and as long it didn't work I've not try upper protocol…

So, all statefull communication work well and stateless should be open.

Thank you for bring me out of my wrong way !

413
Views
0
Helpful
3
Replies
CreatePlease to create content