Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco ASA 5520 is not stateful on GNS3

Hi folks,

I´m learning for my CCNA security and I take some labs in GNS3. At the time I´m learning to configure a ASA firewall and this is where I´m hanging now.

I have configured a Cisco ASA wich version are 8.4(2) and ASDM-version 6.4(9). I configured the typical scenario with ASDM: inside (100),outside (0) and DMZ (50) in GNS3. For traffic coming from inside to outside, NAT is in place (dynamic PAT with the outside IP-address).

Now I´m confused because I only recieve a ping-reply if an access-rule is in place to permit that traffic. But in my mind the ASA should allow the reply by default of stateful packet inspection. If I remove the access-rules, all traffic is blocked.

Can everyone tell me what is wrong in that case?

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: Cisco ASA 5520 is not stateful on GNS3

Hi,

With Dynamic PAT (atleast) you will need ICMP Inspection for the firewall to allow the ICMP Echo Replys automatically through the firewall. To my understanding this allows the ASA to handle the ICMP through the Dynamic PAT translation and also only allow the correct Echo Reply back through the firewall without ACLs.

Without ICMP Inspection you will have to allow atleast the ICMP Echo Reply messages back through the external interface.

With regards to TCP/UDP traffic the firewall should automatically allow the traffic from higher "security-level" interface to a lower one and allow the return traffic for that connection.

- Jouni

2 REPLIES
Super Bronze

Re: Cisco ASA 5520 is not stateful on GNS3

Hi,

With Dynamic PAT (atleast) you will need ICMP Inspection for the firewall to allow the ICMP Echo Replys automatically through the firewall. To my understanding this allows the ASA to handle the ICMP through the Dynamic PAT translation and also only allow the correct Echo Reply back through the firewall without ACLs.

Without ICMP Inspection you will have to allow atleast the ICMP Echo Reply messages back through the external interface.

With regards to TCP/UDP traffic the firewall should automatically allow the traffic from higher "security-level" interface to a lower one and allow the return traffic for that connection.

- Jouni

New Member

Cisco ASA 5520 is not stateful on GNS3

Hi JouniForss,

thank you very much, i knew there was a thinking failure. You saved my day.

562
Views
0
Helpful
2
Replies
CreatePlease to create content